This is the accessible text file for GAO report number GAO-08-492 
entitled 'Information Sharing Environment: Definition of the Results to 
Be Achieved in Improving Terrorism-Related Information Sharing Is 
Needed to Guide Implementation and Assess Progress' which was released 
on July 18, 2008. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 

GAO: 

June 2008: 

Information Sharing Environment: 

Definition of the Results to Be Achieved in Improving Terrorism-Related 
Information Sharing Is Needed to Guide Implementation and Assess 
Progress: 

Information Sharing Environment: 

GAO-08-492: 

GAO Highlights: 

Highlights of GAO-08-492, a report to congressional requesters. 

Why GAO Did This Study: 

The attacks on 9/11 underscored the federal government’s need to 
facilitate terrorism-related information sharing among government, 
private sector, and foreign stakeholders. In response, the Intelligence 
Reform and Terrorism Prevention Act of 2004 mandated the creation of 
the Information Sharing Environment (ISE), which is described as an 
approach for the sharing of terrorism-related information. A 
presidentially appointed Program Manager oversees ISE development with 
assistance from the Information Sharing Council (ISC), a forum for 16 
information sharing officials from federal agencies and departments. 
GAO was asked to report on (1) what actions have been taken to guide 
the design and implementation of the ISE and (2) what efforts have been 
made to report on progress in implementing the ISE. To perform this 
work, GAO reviewed related laws, directives, guidance, and ISE planning 
and reporting documents and interviewed officials from the Program 
Manager’s office and key agencies who serve on the ISC. 

What GAO Found: 

To guide ISE design and implementation, the Program Manager has issued 
an implementation plan, completed a number of tasks therein, and 
included other information sharing initiatives in the ISE, but the plan 
does not include some important elements to implement the ISE. The plan 
provides an initial structure and approach for ISE design and 
implementation. For example, the plan includes steps toward protecting 
information privacy and describes a two-phased approach for 
implementing the ISE by June 2009 consisting of 89 action items. 
Completed activities include, among others, development of proposed 
common terrorism information sharing standards. In addition, other 
federal, state, and local initiatives to enhance information sharing 
across the government are being incorporated in the ISE. These 
initiatives include partnering with state and local area fusion 
centers—created primarily to improve information sharing within a state 
or local area—to develop a national network of these centers. 
Nevertheless, Office of the Program Manager officials said that the 89 
action items do not address all the activities that must be completed 
to implement the ISE. Work remains, including defining and 
communicating the ISE’s scope, such as determining all terrorism-
related information that should be part of the ISE, and communicating 
that information to stakeholders involved in the development of the 
ISE. In addition, the desired results to be achieved by the ISE, that 
is, how information sharing is to be improved, the specific milestones, 
and the individual projects—or initiatives—to achieve these results 
have not yet been determined. Defining the scope of a program, desired 
results, milestones, and projects are essential in providing a road map 
to effectively implement a program. Without such a road map, the 
Program Manager and stakeholders risk not being able to effectively 
manage implementation of the ISE. 

To report on progress in implementing the ISE, the Program Manager 
issued an annual report in September 2007, which highlighted individual 
accomplishments and included several annual performance goals, and has 
since begun to develop performance measures, but neither effort 
provides for an assessment of overall progress in ISE implementation 
and of how much work remains. Some individual accomplishments 
contributing to the ISE occurred under the implementation plan; others, 
prior to and separate from ISE creation efforts. In keeping with 
federal guidance, GAO’s work, and the work of others in strategic 
planning, performance measurement, and program management, the 
implementation plan contained six strategic goals and the annual report 
four performance goals for 2008. Also, the Program Manager has begun to 
develop some performance measures, but they focus on counting 
activities accomplished rather than results achieved. For example, the 
measures include the number of ISE organizations with a procedure in 
place for suspicious activity reports, but not how the reports are used 
and what difference they are making in sharing to help prevent 
terrorist attacks. GAO acknowledges that creating such measures is 
difficult, particularly since the program is still being designed, but 
until these measures are refined, future attempts to measure and report 
on progress will be hampered. 

What GAO Recommends: 

GAO recommends that the Program Manager and stakeholders (1) more fully 
define the scope and results to be achieved by the ISE and (2) develop 
a comprehensive set of performance measures that show the extent to 
which the ISE has been implemented and sharing improved. The Program 
Manager generally agreed with these recommendations. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-492]. For more 
information, contact Eileen Larence 202-512-8777, LarenceE@gao.gov, or 
David Powner, 202-512-9286, pownerd@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Initial Steps to Define a Structure and Approach to Implement the ISE 
Have Been Taken, but Work Remains to Define What the ISE Is to Include, 
to Design How it Will Operate, and to Outline Measurable Steps and Time 
Frames to Achieve Implementation and Desired Results: 

The Program Manager Has Issued the First Annual Report and Is 
Developing Initial Performance Measures, but Neither Can Yet Be Used to 
Determine How Much Progress Has Been Made and What Remains: 

Conclusions: 

Recommendations: 

Agency Comments and Our Evaluation: 

Appendix I: Status of Phase I Action Items as of March 1, 2008: 

Appendix II: Comments from Office of the Program Manager for the 
Information Sharing Environment: 

Appendix III: GAO Contacts and Acknowledgments: 

Tables: 

Table 1: 7 Priority Areas in the ISE Implementation Plan: 

Table 2: Strategic Goals Contained in the Implementation Plan: 

Table 3: 2008 Annual Performance Goals Listed in the Annual Report: 

Table 4: Comparison of Action Item Status in July 2007 and March 2008: 

Abbreviations: 

CUI: controlled unclassified information: 

DHS: Department of Homeland Security: 

DNI: Director of National Intelligence: 

DOJ: Department of Justice: 

ISC: Information Sharing Council: 

ISE: Information Sharing Environment: 

ISE EAF: Information Sharing Environment Enterprise Architecture 
Framework: 

FEA: Federal Enterprise Architecture: 

ITACG: Interagency Threat Assessment Coordination Group: 

NCTC: National Counterterrorism Center: 

NIST: National Institute of Standards and Technology: 

PM-ISE: Program Manager for the Information Sharing Environment: 

TSC: Terrorist Screening Center: 

United States Government Accountability Office: 

Washington, DC 20548: 

June 25, 2008: 

Congressional Requesters: 

Following the terrorist attacks of 2001, the Congress and the Executive 
Branch took numerous actions aimed explicitly at establishing a range 
of new security measures to strengthen the nation's ability to 
identify, detect, and deter terrorism-related activities and protect 
national assets and infrastructure from attack.[Footnote 1] One theme 
common to nearly all these efforts was the need to share current 
information on terrorism-related matters with a variety of critical 
stakeholders across all levels of government, the private sector, and 
foreign countries. Recognizing the need to facilitate this sharing, the 
Intelligence Reform Act directed the President to create the 
Information Sharing Environment (ISE).[Footnote 2] As amended by the 9/ 
11 Commission Act, the Intelligence Reform Act defines the ISE as "an 
approach that facilitates the sharing of terrorism and homeland 
security information, which may include any method determined necessary 
and appropriate." In implementing this approach the Program Manager-- 
appointed by the President and responsible for planning for, 
overseeing, and managing this new approach--envisions an ISE that will 
be comprised of policies, procedures, and technologies that link 
people, systems, and information among all critical stakeholders. 

In coordinating implementation of the ISE, the Program Manager depends 
on other federal departments and agencies. In particular, the 
Information Sharing Council (ISC)--comprised of senior representatives 
from 16 federal departments and agencies, some of who possess and 
acquire terrorism-related information--was established in accordance 
with the Intelligence Reform Act to assist the President and the 
Program Manager with their ISE responsibilities. The ISC is to advise 
in developing policies, procedures and guidelines, roles, and 
standards. In providing such assistance, the ISC, which is chaired by 
the Program Manager, is responsible for activities such as working to 
ensure coordination among federal departments and agencies 
participating in the ISE to establish, implement, and maintain the ISE. 
In addition to the ISC member departments and agencies, the Program 
Manager must involve and consider the needs of other stakeholders, to 
include additional federal departments and agencies; state, local, and 
tribal entities; the private sector; and foreign partners and allies. 
It is critical that all of these stakeholders participate in 
development of the ISE because they both possess and require terrorism- 
related information in the performance of their missions. Coordinating 
with this large number of stakeholders--each with its own individual 
agency's interests, business processes, and technical capabilities-- 
adds to the complexity of creating the ISE. 

Our work since 2001 indicates that the federal government has improved 
the sharing of terrorism-related information but has struggled in the 
process. In January 2005, we designated information sharing for 
homeland security a high-risk function because the government had 
continued to face formidable challenges in analyzing and disseminating 
key terrorism-related information in a timely, accurate, and useful 
manner.[Footnote 3] We reported, at the time, that in the absence of 
comprehensive information-sharing plans, many aspects of homeland 
security information sharing remained ineffective and fragmented. We 
noted, as well, that information is a crucial tool in fighting 
terrorism and that its timely dissemination is absolutely critical to 
maintaining the security of our nation. 

In March 2006, our report on information-sharing issues stated that 
more than 4 years after September 11, the nation still lacked the 
governmentwide policies and processes called for in law to provide a 
framework for guiding and integrating a myriad of ongoing efforts to 
share terrorism-related information critical to protecting our 
homeland.[Footnote 4] In that report, we recommended that the Director 
of National Intelligence, among other things, assess progress in 
implementing the ISE and identify barriers to achieving ISE deadlines 
included in an interim implementation plan. The Program Manager is in 
the process of implementing these recommendations, and this report 
provides an update on their status. We also suggested in that report 
and subsequently in a November 2006 report, that the ISE effort was 
among the areas that needed additional congressional 
oversight.[Footnote 5] 

You requested that we provide observations on the ISE and how it is 
being implemented. This report answers the following two questions: 

* What actions have been taken to guide the design and implementation 
of the ISE? 

* What efforts have been made to report on progress in implementing the 
ISE? 

To answer these questions, we identified and reviewed key statutes 
setting out requirements for the Information Sharing Environment, 
including the Intelligence Reform Act and the 9/11 Commission Act. We 
further considered the Government Performance and Results Act of 
1993,[Footnote 6] related guidance issued by OMB,[Footnote 7] and our 
prior[Footnote 8] work on results oriented government, program 
management, and federal coordination and collaboration. We also 
reviewed literature on program management principles, such as the 
Project Management Institute's The Standard for Program 
Management[Footnote 9] and Carnegie Mellon's Capability Maturity Model 
Integration (CMMI®).[Footnote 10] Based on our review of these laws, 
guidance, and literature, we identified standard practices in program 
and project management for defining, designing, and executing programs. 
These practices focus on several critical aspects of program 
management, strategic planning, and performance measurement. 

The scope of our review was limited to those ISE activities performed 
since the Information Sharing Environment Implementation Plan 
(implementation plan) was issued in November 2006 through March 1, 
2008. Applying these identified standard practices in program 
management, we reviewed key ISE planning and reporting documents--the 
November 2006 implementation plan and the September 2007 Annual Report 
to The Congress on the Information Sharing Environment (annual report)-
-as well as other ISE-related strategic planning and performance 
measurement documents and activities. We further interviewed officials 
at the Office of the Program Manager for the Information Sharing 
Environment (PM-ISE) and examined planning and reporting documents 
housed at the office to determine the extent to which actions listed in 
the implementation plan for the first phase of ISE implementation were 
complete as of March 1, 2008. We also interviewed officials from five 
key federal agencies--the departments of Defense, Homeland Security, 
Justice, and State as well as the Office of the Director of National 
Intelligence--who serve on the ISE's Information Sharing Council. These 
federal agencies were chosen because they were identified by the PM-ISE 
as key participants expected to support the ISE since they collect 
defense, homeland security, law enforcement, foreign affairs, and 
intelligence information deemed critical for homeland security. We 
conducted this performance audit from February 2007 through June 2008, 
in accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe the 
evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Results in Brief: 

To guide ISE design and implementation, the Program Manager has issued 
an implementation plan, a number of tasks therein have been completed, 
and other independent and ongoing information sharing initiatives by 
federal, state, and local stakeholders have been integrated into the 
ISE, but the plan does not include some important elements needed to 
implement the ISE. Issued in November 2006, the plan provides an 
initial structure and approach for designing and implementing the ISE 
and addresses ways to meet the ISE requirements set in the Intelligence 
Reform Act as well as guidelines the administration set for 
implementation, as the following examples illustrate: 

* The plan includes steps toward standardizing procedures for managing, 
handling, and disseminating sensitive but unclassified information-- 
information that is generally restricted from public disclosure but not 
designated as classified national security information--as well as 
protecting information privacy. 

* The plan maps out a timeline for further defining what information, 
business processes, and technologies are to be included in the ISE and 
exploring approaches for implementing them, describing a two-phased 
approach for implementing the ISE by June 2009. Phase 1 generally 
covers set-up activities and building relationships among stakeholders, 
and Phase 2 covers design as well as implementation of the ISE. The two 
phases are comprised of 89 total action items organized by priority 
areas, such as improved terrorism information handling. While 48 action 
items were to be completed by June 2007, at the end of Phase 1, only 18 
were completed on time. An additional 15 were completed as of March 
2008. Completed activities include development of proposed common 
terrorism information sharing standards and implementation of 
electronic directory services pages to help identify sources where 
terrorism information may be located within the federal government. The 
incomplete action items are generally those that require a greater 
level of stakeholder involvement and, according to officials at the 
Office of the Program Manager, are taking longer than anticipated to 
complete. 

* Design and implementation incorporate ongoing federal, state, and 
local initiatives to enhance information sharing across the government. 
These initiatives include partnering with state and local area fusion 
centers--collaborative efforts to detect, prevent, investigate, and 
respond to criminal and terrorist activity--and developing a national 
network of these centers to improve sharing among federal, state, and 
local entities, as well as the Terrorist Screening Center to 
consolidate information on known or suspected terrorists who operate 
within the United States for dissemination to federal agencies that use 
the information to screen individuals. 

In accordance with standard practices for program and project 
management, the ISE implementation plan identified action items and 
strategic goals to be achieved. However, work remains in defining and 
communicating the scope and desired results to be achieved by the ISE, 
the specific milestones to be attained, the individual projects--or 
initiatives--and the sequence in which they need to be executed to 
achieve these results and implement the ISE. For example, in terms of 
scope, work to determine all the terrorism-related information that 
should be part of the ISE is yet to be completed. In addition, the 
desired results to be achieved by the ISE--that is, how information 
sharing is to be improved and the specific milestones (e.g., time 
frames), and the projects to achieve these results--have not yet been 
determined. Although the plan contains 89 action items, officials at 
the Office of the Program Manager stated that the action items do not 
address all of the activities that must be completed to implement the 
ISE. This is because, at the time the plan was produced, agreement on 
how the ISE is to function and what it is to include had not been 
reached among the stakeholders and work toward reaching these 
agreements remains ongoing. Therefore, ISE officials stated that an 
assessment of the ISE's progress based on the action items identified 
in the plan alone would not give a true sense of progress toward a 
fully functioning and executed ISE. In accordance with standard program 
management practices, specific desired outcomes or results should be 
conceptualized and defined in the planning process as part of a road 
map, along with the appropriate projects needed to achieve those 
results, supporting resources, stakeholder responsibilities, and 
milestones. Without such a road map, the Program Manager and 
stakeholders risk not being able to effectively manage and implement 
the ISE. 

To report on progress in implementing the ISE, the Program Manager 
issued an annual report on the ISE in September 2007 that highlighted 
individual accomplishments and included several annual performance 
goals as well as developed some performance measures, but did not 
provide an assessment of how much progress has been achieved in 
implementing the ISE and how much remains to be done. More 
specifically, the report cites accomplishments achieved as part of the 
implementation plan as well as others achieved prior to the enactment 
of the Intelligence Reform Act in December 2004 and its requirement to 
implement the ISE. Federal guidance as well as our work and the work of 
others in strategic planning, performance measurement, and program 
management hold that programs should have overarching strategic goals 
that are outcome oriented and are expressed so that progress in 
achieving the goals can be tracked and measured. Moreover, these longer-
term strategic goals should be supported by interim performance goals 
(e.g., annual performance goals) that are also measurable and provide 
for a way to measure and track annual and overall progress (e.g., 
through measures and metrics). In keeping with these practices, the 
implementation plan contained six overall strategic goals, and the 
annual report contained four performance goals for 2008. In addition, 
the Program Manager has begun to develop some annual performance 
measures, but they focus on counting activities accomplished rather 
than results achieved to show the extent of ISE implementation or 
progress towards attaining the ISE strategic goals. For example, 
performance measures developed include the number of ISE organizations 
with a procedure in place for acquiring and processing reports on 
suspicious activities potentially related to terrorism. This measure is 
an important first step in providing quantifiable data for assessing 
progress made, but does not measure for results, such as what 
difference the reports are making in sharing to help prevent terrorist 
attacks. According to officials at the Office of the Program Manager, 
these performance measures are being refined in consultation with the 
ISC to provide the needed framework to measure progress made. Yet, our 
review of a draft of these performance measures showed that they 
continue to focus on counting activities accomplished rather than 
results achieved. We acknowledge that creating such measures is 
difficult, particularly since the program is still being designed, but 
until these measures are refined to account for and communicate 
progress and results, future attempts to measure and report on progress 
will be hampered. 

Thus, to help ensure that the ISE is on a measurable track to success, 
we are recommending that the Program Manager, with full participation 
of relevant stakeholders (e.g., agencies and departments on the ISC), 
(1) more fully define the scope and specific results to be achieved by 
the ISE along with the key milestones and individual projects or 
initiatives needed to achieve these results and (2) develop performance 
measures that show the extent to which the ISE has been implemented and 
sharing improved--including, at a minimum, what has been and remains to 
be accomplished--so as to more effectively account for and communicate 
progress and results. 

We requested comments on a draft of this report from the Secretaries of 
Defense, Homeland Security, and State; the Attorney General; the 
Director of National Intelligence; and the Program Manager for the ISE 
or their designees. The Program Manager provided written comments which 
are summarized below and included in their entirety in appendix II. The 
Program Manager generally agreed with our recommendations, but made 
several comments regarding the report's content. For example, he stated 
that the ISE is a governmentwide transformational effort and an 
evolutionary process, not a traditional "program" that can be audited 
within those parameters. While we agree that the ISE is not a 
traditional "program," in that it is not operated and funded by a 
single department or agency, it is an activity that does receive 
government funding and can be reviewed using program and project 
management principles. With regards to assessing the ISE's progress, 
the Program Manager discussed efforts that our report acknowledges. 
However, our review showed that the performance measures used to assess 
the ISE's progress focus on counting activities accomplished rather 
than results achieved and are not presented in a way that explains how 
they represent progress toward attaining strategic goals. The 
Secretaries of Defense, Homeland Security, and State; the Attorney 
General; and the Director of National Intelligence responded that they 
did not have any comments on the report. Officials in the Office of the 
Program Manager also provided technical comments on the draft that have 
been incorporated, as appropriate. 

Background: 

Federal Law and Policy Call for the Development of an ISE: 

Because of the information-sharing weaknesses among federal departments 
and agencies that became apparent after September 11, the Congress and 
the administration have called for a number of terrorism-related 
information-sharing initiatives, including the development of an ISE, 
as the following instances illustrate: 

* Section 1016 of the Intelligence Reform and Terrorism Prevention Act 
of 2004 (Intelligence Reform Act), enacted December 17, 2004, as 
amended by the Implementing Recommendations of the 9/11 Commission Act 
of 2007 (9/11 Commission Act), enacted August 3, 2007, requires the 
President to take action to facilitate the sharing of terrorism-related 
information by establishing an ISE.[Footnote 11] The Act required the 
President to, among other things, appoint a Program Manager to plan 
for, oversee implementation of, and manage the ISE, and established an 
ISC to assist the President and Program Manager in these duties. In 
addition, the Act required the President, with the assistance of the 
Program Manager, to submit to Congress a report containing an 
implementation plan for the ISE no later than 1 year after the date of 
enactment (enacted December 17, 2004) and specified 11 elements to be 
included in the plan. These elements include, among other things, the 
function, capabilities, resources, and concept for the design of the 
ISE; project plan; budget estimates; performance metrics and measures; 
and defined roles for all stakeholders.[Footnote 12] The Act also 
required annual performance management reports, beginning not later 
than 2 years after enactment, on the state of the ISE and of 
information sharing across the federal government. 

* On December 16, 2005, the President issued a memorandum to implement 
measures consistent with establishing and supporting the ISE.[Footnote 
13] The memorandum sets forth five information sharing guidelines: (a) 
defining common standards for how information is acquired, accessed, 
shared, and used within the ISE; (b) developing a common framework for 
sharing information between and among executive departments and 
agencies; state, local, and tribal governments; law enforcement 
agencies; and the private sector; (c) standardizing the procedures for 
sensitive but unclassified information; (d) facilitating the sharing of 
information between executive departments and agencies and foreign 
governments; and (e) protecting the information privacy rights and 
other legal rights of Americans. The memorandum also directs the heads 
of executive departments and agencies to actively work to promote a 
culture of information sharing within their respective agencies and 
that ongoing information-sharing efforts be leveraged in the 
development of the ISE. 

* In October 2007, the President issued a National Strategy for 
Information Sharing. The strategy is focused on improving the sharing 
of homeland security, terrorism, and law enforcement information 
related to terrorism within and among all levels of government and the 
private sector and articulates the administration's vision on terrorism-
related information sharing. The strategy notes guiding principles and 
efforts taken to improve information sharing across all levels of 
government, the private sector, and foreign partners to date. It also 
contains an appendix that elaborates on the roles of federal, state, 
local, and tribal authorities in information sharing and expands on the 
role of state and major urban area fusion centers. 

Scope and Purpose of the ISE: 

The ISE is not bounded by a single federal agency or component. While 
the Program Manager has been placed within the Office of the Director 
of National Intelligence, from an operational perspective, the ISE is 
to reach across all levels of government as well as the private sector 
and foreign partners. As such, the program is a broad-based 
coordination and collaboration effort among various stakeholders. In 
essence, the ISE can be viewed as a set of cross-cutting communication 
links--encompassing policies, processes, technologies--among and 
between the various entities that gather, analyze, and share terrorism- 
related information. According to officials at the Office of the 
Program Manager, their focus is primarily to ensure that all 
appropriate terrorism-related information is made available to analysts 
and others who need it when they need it. The Program Manager is not 
responsible for the collection or analysis of terrorism-related 
information. 

The ISE implementation plan, released by the Program Manager in 
November 2006, is to be the guiding document describing how the ISE is 
to be implemented. This plan addressed at a very general and 
preliminary level the ISE's information-sharing strategy, roles, and 
needs. The document set out to include: (1) an operational concept; (2) 
the implementation overview; (3) a summary of desired operational 
capabilities; (4) means to develop an architecture and standards; (5) 
an approach to sharing with non-federal partners; (6) ISE enabling 
activities; (7) implementation management; (8) recommendations on a 
structure for expansion and future management; and (9) a summary of 
implementation actions. The plan also acknowledged numerous challenges 
to be addressed, including promoting a culture of information sharing, 
protecting information privacy, and handling terrorism-related 
information. Under the plan, the ISE is comprised of five "communities 
of interest," encompassing intelligence, law enforcement, defense, 
homeland security, and foreign affairs. Each community may comprise 
multiple federal organizations and other stakeholders; information is 
to be shared across these communities. 

Key ISE Players and Roles: 

ISE leadership lies with the presidentially appointed Program Manager, 
for whom the Intelligence Reform Act, as amended, lays out specific 
requirements. Pursuant to the Act, the Program Manager, in consultation 
with the head of any affected department or agency, has governmentwide 
authority over the sharing of terrorism-related information within the 
scope of the ISE and is required to plan for, oversee implementation 
of, and manage the ISE. For example, the Program Manager, in 
consultation with the ISC and consistent with the direction and 
policies issued by the President, the Director of National 
Intelligence, and the Director of the Office of Management and Budget, 
is to issue governmentwide procedures, guidelines, instructions, and 
functional standards, as appropriate, for the management, development, 
and proper operation of the ISE. In fulfilling this responsibility, the 
Program Manager must, among other things, take into account the varying 
missions and security requirements of agencies participating in the ISE 
and ensure the protection of privacy and civil liberties. The 
implementation plan further described areas of responsibility in broad 
terms for the Program Manager. The plan states, for example, that the 
Program Manager is to "act as the central agent to improve terrorism- 
related information sharing among ISE participants by working with them 
to remove barriers, facilitate change, and ensure that ISE 
implementation proceeds efficiently and effectively." In interpreting 
these responsibilities, the Program Manager has exercised discretion by 
focusing on, for example, facilitating information sharing across the 
five ISE communities. To support the development of the ISE, as of June 
2008 the Program Manager has a staff of about 11 government staff and 
31 contractors organized into three divisions--technology, policy and 
planning, and business process. 

Interagency support and advice to the Program Manager on the 
development of the ISE is provided through the ISC. The ISC is chaired 
by the Program Manager and is currently composed of 16 other members, 
each designees of: the Secretaries of State, Treasury, Interior, 
Transportation, Health and Human Services, Commerce, Energy, and 
Homeland Security; the Department of Defense's Office of the Secretary 
of Defense as well as the Joint Chiefs of Staff; the Attorney General; 
the Director of National Intelligence; the Director of the Central 
Intelligence Agency; the Director of the Office of Management and 
Budget; the Director of the FBI; and the Director of the National 
Counterterrorism Center. The ISC is an advisory body, which among other 
things, is expected to: 

* advise the President and the Program Manager on development of 
policies, procedures, guidelines, roles, and standards necessary to 
establish, implement, and maintain the ISE; 

* work to ensure coordination among the federal agencies participating 
in the establishment, implementation, and maintenance of the ISE; and: 

* identify and recommend solutions to gaps between existing 
technologies, programs, and systems used by federal agencies for 
sharing information and the parameters of the proposed information- 
sharing environment. 

The ISC and Program Manager are supported by various task and working 
groups. For example, the Foreign Government Information Sharing Working 
Group, with coordination and assistance from the PM-ISE, helped develop 
a checklist of issues to be taken into account in negotiating 
international agreements. Similarly, an Alerts and Notifications 
Working Group was established to assist the PM-ISE and ISC members in 
their efforts to identify the alerts and notifications to be available 
to federal and non-federal ISE participants. 

Another area of roles and responsibilities for the ISE lies with 
individual federal agencies (including those that belong to the ISC and 
those that do not), state and local governments, and private sector 
entities. In accordance with the Intelligence Reform Act, as amended, 
any federal department or agency using or possessing intelligence or 
terrorism-related information, operating a system in the ISE, or 
otherwise participating or expecting to participate in the ISE must 
fully comply with information-sharing policies, procedures, guidelines, 
rules and standards established pursuant to the ISE. The departments 
and agencies must further ensure the provision of adequate resources 
for systems and activities supporting operation of and participation in 
the ISE, ensure full department or agency cooperation in the 
development of the ISE to implement governmentwide information sharing, 
and submit, as requested, any reports on the implementation of ISE 
requirements within the department or agency. State and local 
governments also play a role in the ISE through, for example, their law 
enforcement efforts to prevent crimes. As such, these governments are 
coordinated with and participate in implementing the ISE. Private 
sector organizations may share terrorism-related information on a 
voluntary basis through existing or newly developed ISE mechanisms as 
well. For example, the ISE leverages existing national plans such as 
the National Infrastructure Protection Plan, which established 
mechanisms for public and private sector organizations to share 
critical infrastructure information on 17 critical infrastructure 
sectors, such as banking and finance, energy, chemical, and 
transportation. 

Initial Steps to Define a Structure and Approach to Implement the ISE 
Have Been Taken, but Work Remains to Define What the ISE Is to Include, 
to Design How It Will Operate, and to Outline Measurable Steps and Time 
Frames to Achieve Implementation and Desired Results: 

To guide the design and implementation of the ISE, the Program Manager 
has issued an implementation plan, completed a number of tasks 
contained in it, and other independent and ongoing information-sharing 
initiatives have been integrated into the ISE, but the plan does not 
include some important elements needed to implement the ISE. The plan 
provides an initial structure and approach for ISE design and 
implementation, as well as describes a two-phased approach for 
implementing the ISE by June 2009. Completed activities include, among 
other things, development of proposed common terrorism information 
sharing standards (CTISS) for sharing terrorism-related information. In 
addition, other federal, state, and local initiatives to enhance 
information sharing across the government have been or are being 
incorporated into the ISE. Based on existing federal guidance as well 
as our prior work and the work of others, standard practices in program 
and project management for defining, designing, and executing programs 
include (1) defining the program's scope, roles and responsibilities, 
and specific results to be achieved, along with the individual projects 
needed to achieve these results, and (2) developing a road map, or 
program plan, to establish an order for executing specific projects 
needed to obtain defined programmatic results within a specified time 
frame and measuring progress and cost in doing so. While efforts to 
date may represent the groundwork needed to facilitate terrorism- 
related information sharing in the future, work remains to define and 
communicate the scope and desired results to be achieved by the ISE, 
the specific milestones and time frames for achieving the results, and 
the individual projects and the sequence of projects needed to achieve 
these results. Without such elements the Program Manager risks not 
being able to effectively manage and implement the ISE. 

The Implementation Plan Provides an Initial Structure and Approach for 
Designing and Implementing the ISE: 

Issued in November 2006, the implementation plan provides an initial 
structure and approach for ISE design and implementation and 
incorporates Presidential Guidelines as well as ISE requirements 
spelled out in the Intelligence Reform Act. For example, the plan 
includes steps towards developing standardized procedures for managing, 
handling, and disseminating sensitive but unclassified information as 
well as protecting information privacy, as called for in the 
Presidential Guidelines. For the most part, the plan also maps out a 
timeline for further defining what information, business processes, and 
technologies are to be included in the ISE and exploring approaches for 
implementing the ISE. For example, the plan describes a two-phased 
approach to implementing the ISE by June 2009, with Phase 1 scheduled 
for the November 2006 to June 2007 time frame and generally covering 
set-up activities and building relationships among stakeholders and 
Phase 2, beginning July 2007, covering design as well as 
implementation. This approach is intended to develop the ISE 
incrementally over a 3-year period. The two phases are comprised of 89 
action items organized by priority areas. These priority areas address 
important aspects of the ISE, from defining information-sharing 
capabilities and technologies to protecting privacy and measuring 
performance (see table 1). 

Table 1: 7 Priority Areas in the ISE Implementation Plan: 

Priority area: Protecting information privacy and civil liberties in 
the ISE; 
Description: Helping ensure that the information privacy and other 
legal rights of Americans are protected in the development and use of 
the ISE. 

Priority area: Improved terrorism information handling; 
Description: Creating standardized, consistent policies and procedures 
for handling classified and unclassified terrorism information. 

Priority area: Sharing with partners outside the federal government; 
Description: Improving coordination at the national level for the 
production and dissemination of terrorism information, and sharing 
responsibility between federal and state governments for the timely 
processing and dissemination of information at every level to meet the 
needs of all end users. 

Priority area: Architecture and standards; 
Description: Constructing, integrating, and maintaining information 
resource infrastructures across the federal government; 
state, local, and tribal governments; 
the private sector; 
and foreign partners. 

Priority area: ISE enabling activities; 
Description: Developing performance management and planning tools as 
well as programming and budgeting documents. 

Priority area: ISE operational capabilities; 
Description: Developing the information technology services needed to 
maximize information sharing. 

Priority area: Promoting a culture of information sharing; 
Description: Developing a culture that promotes information sharing 
across the ISE. 

Source: Information Sharing Environment Implementation Plan. 

[End of table] 

Forty-eight of the action items, all part of Phase 1, were to be 
completed by June 2007. Of these 48, 18 were completed on time and an 
additional 15 were completed by March 2008 (see app. I for details). 
Examples of completed activities covered by these action items include: 

* The development of proposed common terrorism information sharing 
standards--a set of standard operating procedures intended to govern 
how information is to be acquired, accessed, shared, and used within 
the ISE. According to the Program Manager, the proposed standards 
document the rules, conditions, guidelines, and characteristics of 
business processes, production methods, and products supporting 
terrorism-related information sharing. These standards are intended to 
address the Presidential Guideline that required the Director of 
National Intelligence--in coordination with the Secretaries of State, 
Defense, Homeland Security, and the Attorney General--to develop and 
issue such standards. These standards are an important early activity 
because of the structure they are intended to establish for sharing 
across all ISE stakeholders. 

* The development of procedures and markings for sensitive but 
unclassified information to facilitate the exchange of information 
among ISE participants.[Footnote 14] We reported in March 2006 that 
federal agencies use numerous sensitive but unclassified designations 
that govern how this information must be handled, protected, and 
controlled and that the confusion caused by these multiple designations 
creates information-sharing challenges.[Footnote 15] Therefore, we 
recommended the issuance of a policy that consolidates sensitive but 
unclassified designations where possible and addresses their consistent 
application across agencies. Consistent with our recommendation, in May 
2008 the Administration established controlled unclassified information 
(CUI) as the single categorical designation throughout the executive 
branch and established a corresponding CUI framework for designating, 
marking, safeguarding, and disseminating information designated as CUI. 
Once implemented, this effort could help improve access to information 
and improve information sharing. 

* Establishment of an initial operating capability for the Interagency 
Threat Assessment and Coordination Group (ITACG). The purpose of the 
ITACG is to support the efforts of the National Counterterrorism Center 
to produce federally-coordinated terrorism-related information products 
intended for dissemination to state, local, tribal, and private sector 
partners through existing channels established by federal departments 
and agencies. This effort is expected to help address concerns that 
federally produced terrorism-related information that state, local, 
tribal, and private sector organizations need for law enforcement and 
homeland security purposes is sometimes conflicting or not getting to 
them. 

* The establishment of a Federal Fusion Center Coordination Group to 
identify federal resources to support the development and maintenance 
of a network of state-sponsored fusion centers. Most states and many 
local governments have created state and local fusion centers to 
address gaps in information sharing, such as those that occurred on 9/ 
11. These centers are collaborative efforts to detect, prevent, 
investigate, and respond to criminal and terrorist activities. In 
October 2007, we issued a report on the characteristics of and 
challenges for fusion centers and stated that the centers were 
particularly concerned about sustaining their operations over the long 
term.[Footnote 16] We recommended that this group, through the ISC and 
the Program Manager, determine and articulate the federal government's 
role in, and whether it expects to provide resources to, fusion centers 
over the long-term to help ensure their sustainability. According to 
ISE program management officials, work is ongoing to (1) complete a 
baseline capability assessment of designated state and major urban-area 
fusion centers and (2) develop a coordinated federal support plan that 
articulates resources being provided to the fusion centers. 

* The implementation of electronic directory services pages to help 
identify sources where terrorism information may be located within the 
federal government, as called for in the Intelligence Reform Act. In 
meeting this requirement, the electronic directory services are 
described as a collection of directories that enables ISE users to 
search for and locate information by accessing the appropriate people, 
organizations, data, and services related to the counterterrorism 
mission. The Program Manager expects to develop similar directories for 
state, local, and tribal stakeholders. 

Furthermore, work has been done towards accomplishing some action items 
that are not yet complete. For example, agencies, with leadership from 
the PM-ISE, have been working to develop a core training module 
intended to provide an introduction to the ISE and to further promote 
the development of a culture of information sharing. The incomplete 
action items are generally those that require a greater level of 
stakeholder involvement and, according to officials at the Office of 
the Program Manager are taking longer than anticipated to complete, but 
will not delay work on Phase 2 items. However, the action items do not 
address all the activities that must be completed to implement the ISE, 
according to officials at the Office of the Program Manager, and 
several activities identified in the implementation plan will not be 
implemented as identified in the plan. For example, one activity 
identified in the plan included the implementation of an electronic 
directory of services containing green pages in the unclassified 
domain. As identified in the plan, the green pages were to provide a 
searchable listing of counterterrorism-related information-sharing 
resources, systems, and data repositories to support users searching 
for specific data and capabilities. Further, the pages were to provide 
system descriptions and technical and operational contact information 
for gaining access. However, according to officials at the Office of 
the Program Manager, aggregating the information for the green pages 
would no longer enable the information to be posted in an unclassified 
domain. Therefore, the green pages will no longer be completed for the 
sensitive but unclassified security domain. Appendix I provides further 
detail on the status of each Phase 1 action item. 

Federal, State, and Local Agency Initiatives Are Being Leveraged to 
Enhance Information Sharing and Guide Implementation of the ISE: 

Federal, state, and local agencies have their own initiatives to 
enhance information sharing across the government that are being 
leveraged in designing and implementing the ISE. Examples of these 
initiatives include: 

* The Director of National Intelligence (DNI) issued a 100-day plan in 
April 2007, followed by a 500-day plan in September 2007 that focused 
on integrating the intelligence agencies and their missions in a 
collaborative manner.[Footnote 17] One area of focus in these plans is 
improved information sharing. As a result of this effort, the DNI 
reported that an implementation plan was developed to standardize 
identity and access policies across agencies, networks, and systems. 
The 100-day plan notes that as it is implemented, its results are 
intended to be leveraged by the Program Manager as part of the ISE 
because it is anticipated to improve communication within the 
intelligence community--one of the five communities that have been 
designated as critical to the ISE. 

* The National Counterterrorism Center (NCTC) was established in 2004 
in response to recommendations from the 9/11 Commission to operate as a 
partnership of intelligence agencies so that they can analyze and 
disseminate national intelligence data. The center works to ensure that 
intelligence agencies have access to and receive all-source 
intelligence support needed to execute their counterterrorism plans or 
perform independent, alternative, and mission-oriented analysis. 

* As previously noted, in recognition of fusion centers as important 
mechanisms for information sharing, the federal government--including 
the Department of Homeland Security (DHS), the Department of Justice 
(DOJ), and the Program Manager--is taking steps to partner with these 
centers. Although they were created primarily to improve information 
sharing within the state or local area, the implementation plan 
identifies the creation of an integrated national network of fusion 
centers to promote two-way sharing with the federal government, as 
discussed earlier. Toward developing this network, the Program Manager 
and stakeholder agencies have sponsored fusion center conferences and 
provided staff, technical assistance, and funding to these centers. 

* The FBI's Terrorist Screening Center (TSC)--established in September 
2003--maintains the U.S. government's consolidated watch list of known 
or suspected terrorists and sends records from the list to agencies to 
support terrorism-related screening. The 9/11 Commission determined 
that agencies' failures to share information they had on several of the 
terrorists was a major factor in the lead-up to the 9/11 attacks, and 
we recommended in a 2003 report[Footnote 18] that agencies develop such 
a consolidated database of terrorist records. In response, the TSC 
created its consolidated database, which was completed in 2004. The TSC 
receives the majority of its watch list records from the NCTC, which 
compiles the information on known or suspected international terrorists 
from federal agencies. The FBI provides information on known or 
suspected terrorists who operate within the United States. The TSC 
consolidates this information and sends it to federal agencies that use 
it for screening purposes, such as the screening of visa applicants and 
airline passengers. As noted in the annual report, the founding of the 
TSC is considered to be a key milestone in establishing the ISE. We and 
the Inspector General for the Department of Justice have also 
recommended ways in which agencies can enhance the watch list and 
agencies' terrorist-screening processes, such as addressing 
vulnerabilities and creating an interagency governing entity.[Footnote 
19] 

Further Detailing What the ISE Is to Achieve and How It Will Operate 
Should Better Guide Implementation: 

The Program Manager, together with the ISE stakeholders, have followed 
standard practices in program and project management for defining, 
designing, and executing programs by identifying action items and 
strategic goals to be achieved in the implementation plan. However, 
work remains in, among other things, defining and communicating the 
scope and desired results to be achieved by the ISE, the specific 
milestones to be attained, and the individual projects--or initiatives-
-and execution sequence needed to achieve these results and implement 
the ISE. Standard practices in program and project management include 
(1) defining the program scope, roles and responsibilities, and 
specific results to be achieved, along with the individual projects 
needed to achieve these results, and (2) developing a road map, or 
program plan, to establish an order for executing specific projects 
needed to obtain defined programmatic results within a specified time 
frame and measuring progress and cost in doing so. 

Further Defining and Communicating Key Elements of the ISE Will Help 
Address the Limitations of the ISE and Further Describe How the ISE Is 
to Operate: 

First, toward defining the scope of the ISE, the implementation plan 
restates the text of the Intelligence Reform Act, noting that the ISE 
encompasses "the sharing of terrorism information in a manner 
consistent with national security and with applicable legal standards 
relating to privacy and civil liberties" and that the ISE is defined as 
"an approach that facilitates the sharing of terrorism 
information."[Footnote 20] Indeed, this is a broad scope requiring the 
Program Manager and stakeholders, such as members of the Information 
Sharing Council, to further define what the ISE, as a program, is to 
include as well as the scope of what it can address. Fundamentally, the 
Program Manager and stakeholders are still trying to fully define the 
scope and design of the ISE, and a more complete set of activities 
needed to achieve it than those that were included in the 
implementation plan, including, for example: 

* all of the terrorism-related information that should be a part of the 
ISE; 

* what types of terrorism-related information ISE participants have and 
where such information resides; 

* how the information can be put into a "shared space" so that a cross- 
sector of users can easily access and study information from different 
agencies; 

* how this access can be provided while still protecting sensitive 
information and privacy interests; 

* what information systems and networks will be integrated as part of 
the ISE and how; and: 

* methods for motivating agencies to invest in the ISE, be held 
accountable for ensuring that all relevant information is made 
available to ISE stakeholders, and identifying and implementing the 
specific projects needed to ensure the ISE runs effectively. 

Further, the plan notes that the Intelligence Reform Act requires that 
the ISE ensure direct and continuous online electronic access to 
information[Footnote 21] and presents several action items intended to 
identify approaches for sharing information, including the use of 
technologies. However, the plan does not lay out a set of action items 
with related milestones for identifying, among other things, needed 
resources such as all the information to be made available as part of 
the ISE, the source of the information, and what limitations exist in 
making this counter-terrorism information available. In accordance with 
standard practices for program management, these are all elements 
critical for conveying the scope of what the ISE is to include, 
garnering an understanding among stakeholders of needs to be met as 
part of implementing the ISE, and identifying restrictions in 
stakeholder abilities to do so. 

We recognize that defining all of these elements is a complex 
undertaking, especially because of the numerous ISE stakeholders that 
need to coordinate and the many existing and often stovepiped or 
independent methods stakeholders use for meeting their information 
needs that often were not developed with sharing in mind. Nevertheless, 
further defining and communicating key elements of the ISE, such as the 
scope and expected results, along with a road map for meeting needs in 
accordance with standard practices for program management will help, 
among other things, communicate the breadth and limitations of the ISE 
as a program and further describe how the ISE is to operate. 

Second, the plan does not communicate the scope, or parameters, of 
stakeholder roles and responsibilities in such a way that stakeholders 
can understand what they will be held accountable for in implementing 
and operating the ISE. For example, the plan identifies the Program 
Manager's role as responsible for information sharing across the 
government, overseeing the implementation of and managing the ISE, and 
working together with the ISC, but does not articulate aspects of how 
the Program Manager has interpreted this role in contrast to that of 
other stakeholders. For instance, the officials at the Office of the 
Program Manager noted: 

* The Program Manager's office works on developing or improving 
existing business processes that affect information sharing among two 
or more of the five ISE communities, but does not focus on processes 
that are internal to ISE members unless they directly impact the wider 
ISE. Agencies, therefore, are to define ISE related business processes 
and other requirements internal to their organizations along with how 
the information will be used and drive their own analytical efforts. 

* The Program Manager's role focuses on determining if a policy, 
business process, legal or technical issue is preventing the sharing of 
information between two or more communities and on helping to resolve 
these types of issues rather than issues that impact sharing within a 
community, such as homeland security. 

This information on the parameters of the Program Manager's role and 
responsibilities was not transparently communicated in the plan but is 
critical for stakeholders, the Congress, and other policy makers to 
clearly understand, provide for accountability, and ensure the ISE is 
effectively implemented. Without clearly understanding their roles and 
responsibilities, stakeholders may not adequately prepare for and 
provide each other the information and services needed to prevent 
terrorist attacks. According to officials at the Office of the PM-ISE, 
departments and agencies, not the Program Manager alone, are 
responsible for defining the ISE's scope and expected end state. 
Accordingly, in November 2007 they held a first-time off-site with ISC 
members to focus on ISE priorities, clarify responsibilities, and 
emphasize the importance of everyone's active participation and 
leadership. Moreover, the meeting was held to rectify any 
misperceptions and reinforce that all ISE stakeholders are to define 
the ISE. However, according to officials at the Office of the Program 
Manager, problems in department and agency participation make it 
difficult for the ISC to function as an advisory body for ISE 
implementation. Among other things, officials noted that departments 
and agencies do not always provide representatives with the authority 
to speak on behalf of the agency and inconsistent attendance by ISC 
representatives has been an issue. 

Since issuance of the plan, on October 31, 2007, the National Strategy 
for Information Sharing[Footnote 22] was issued, in part, further 
communicating the scope of the ISE and stakeholder roles. The strategy 
reaffirmed that stakeholders at all levels of government, the private 
sector, and foreign allies play a role in the ISE. The strategy also 
outlined some responsibilities for ISE stakeholders at the state, 
local, and tribal government levels. In addition, the strategy further 
defined the role of the Program Manager as also assisting in the 
development of ISE standards and practices. However, the strategy did 
not further clarify the parameters of the Program Manager's role and 
what is within the scope of his responsibilities in "managing" the ISE 
and improving information sharing versus other ISE stakeholders. 

Third, the Program Manager and stakeholders are still in the process of 
defining the programmatic results to be achieved by the ISE as well as 
the associated milestones and projects needed, as standard practices in 
program management suggest for effective program planning and 
performance measurement. Existing federal guidance as well as our work 
and the work of others indicates that programs should have overarching 
strategic goals that state the program's aim or purpose, that define 
how it will be carried out over a period of time, are outcome[Footnote 
23] oriented, and that are expressed so that progress in achieving the 
goals can be tracked and measured.[Footnote 24] Moreover, these longer- 
term strategic goals should be supported by interim performance 
goals[Footnote 25] (e.g., annual performance goals) that are also 
measurable, define the results to be achieved within specified time 
frames, and provide for a way to track annual and overall progress 
(e.g., through measures and metrics). The implementation plan, as an 
early step in planning for the ISE, identifies six strategic ISE goals 
to be achieved. These goals include, for instance, to the maximum 
extent possible, the ISE is to function in a decentralized, 
distributed, and coordinated manner. However, the plan does not define 
what this goal means, set up interim or annual goals and associated 
time sensitive milestones to be built upon to achieve the overall goal, 
or define how agencies will measure and ensure progress in meeting this 
goal in the interim or overall. Instead, the plan notes that 
performance measures will be developed at a later date. Moreover, the 
plan does not present the projects and the sequence in which they need 
to be implemented to achieve this strategic goal in the near term or in 
the future, or the specific resources needed and stakeholder 
responsibilities. Therefore, work remains in developing the road map 
for achieving this strategic goal. Since the plan's issuance, officials 
in the office of the Program Manager and stakeholders have developed 
several performance measures and, as of March 2008, were in the process 
of further refining them. Yet, our review of a draft of these 
performance measures showed that they continue to focus on counting 
activities accomplished rather than results achieved and do not yet 
outline the sequence of projects needed to implement the ISE and 
measurably report on progress in doing so. 

Further, the plan identifies seven priority areas to be addressed in 
implementing the ISE. These include, for example, sharing with partners 
outside the federal government, promoting a culture of information 
sharing, and establishing ISE operational capabilities. But like the 
strategic goals, the priority areas represent general tasks and themes 
to be addressed as part of the ISE and do not define expected results 
in a measurable form, along with supporting performance goals, 
measures, and deadlines for achieving the programmatic results. Without 
these elements, ISE stakeholders may not understand the interim or 
final ISE they are to achieve, assess progress towards implementing the 
ISE, or hold stakeholders accountable for their contributions in 
ensuring that the ISE succeeds. 

Fourth, although required by the Intelligence Reform Act, the 
implementation plan did not provide a budget estimate that identified 
the incremental costs associated with designing, testing, integrating, 
deploying, and operating the ISE but indicated that steps to develop a 
budget estimate would be taken in the future. In part, this is because 
the ISE was in such an early stage of development that it would be 
difficult for agencies to know what to cost out for an estimate. 
Developing a budget estimate, however, is a commonly used tool for 
effective program management. While the Program Manager has been 
working with agencies and the Office of Management and Budget to 
determine the cost of implementing the ISE, officials at the Office of 
the Program Manager stated that the total cost of the ISE has not yet 
been accounted for and that attaining an overall estimate may not be 
achievable. This is because it is difficult for agencies to isolate and 
separate out what actions they are undertaking solely to implement the 
ISE versus ongoing operations. We recognize that attaining an accurate 
and reliable cost estimate for the ISE is a difficult undertaking, 
complicated further by the fact that stakeholders are still defining 
the scope of the ISE, results to be attained, and the projects to 
support it. However, without information on how much the ISE will cost, 
Congress and stakeholders will be unable to determine whether the 
expenses associated with the ISE are worth the results attained and in 
some cases unable to determine what has been accomplished given the 
expended resources. Toward addressing this cost issue, the PM-ISE, in 
collaboration with OMB, has since issued program guidance intended to 
assist in estimating and tracking ISE costs in ISE priority areas, such 
as suspicious activity reporting, developing ISE shared space, and 
alerts, warnings, and notifications. 

Finally, while the implementation plan states that Phase 1 will 
conclude with the development of a detailed plan for implementation, 
including goals, measures, and targets, a revised plan will not be 
issued. Instead, officials at the Office of the Program Manager 
indicated that they consider the implementation plan to be a living 
document with initiatives identified at the outset of development being 
refined as needed based on experience. Officials at the Office of the 
Program Manager acknowledged that the 89 action items contained in the 
plan do not address all of the activities that must be completed to 
implement the ISE. This is because at the time the plan was produced, 
agreement on how the ISE is to function and what it is to include had 
not been reached among the stakeholders. Work toward reaching these 
agreements remains ongoing. Therefore, program officials stated that an 
assessment of the ISE's progress based on the action items identified 
in the plan alone would not give a true sense of progress toward a 
fully functioning and executed ISE. Accordingly, the PM-ISE intends to 
adjust the plan, beginning with refinements in the next annual report. 
For example, according to officials at the Office of the Program 
Manager, to avoid delaying progress, the office plans to revise and 
update certain implementation plan actions in the course of developing 
the June 2008 Annual Report. In addition, officials at the Office of 
the Program Manager stated that based on their experience in Phase 1, 
they are deleting action items that are no longer valid and updating 
others to reflect the ISE's current approach for implementation. 

Making midcourse corrections to further determine and articulate the 
end design of the ISE, or at least more accurately specify what is to 
be achieved in the near term and at various milestones thereafter, is 
in accordance with standard practices in program and project 
management. However, given the ISE's many stakeholders and the work 
that remains to be done in defining the scope of the ISE, the desired 
results to be achieved, and the supporting projects and milestones, it 
is important that the revisions, in accordance with standard practices 
for program management, provide for an effective road map to implement 
the ISE and measure achieved progress in implementing the ISE and in 
improving information sharing. Without such a road map, the Program 
Manager and stakeholders risk not being able to effectively manage and 
implement the ISE. 

An ISE Enterprise Architecture Framework Has Been Developed, but Its 
Usefulness May Be Limited without Further Defining ISE Results: 

Subsequent to the implementation plan, in August 2007, the Program 
Manager issued the ISE Enterprise Architecture Framework Version 1.0 
(ISE EAF), a planning document and tool intended to further inform ISE 
implementation efforts, but its usefulness in guiding the ISE to meet 
terrorism-related information-sharing needs may be hindered by the lack 
of defined programmatic results to be achieved. As reported by the 
Program Manager, the ISE EAF is to help improve information-sharing 
practices, reduce barriers to sharing, and institutionalize sharing by 
providing a new construct, or framework, for planning, installing, and 
operating nationwide information resources within the ISE. Such 
resources may include, for example, business processes and information 
technologies. Further, as noted in the EAF, it is to be used to guide 
the implementation of the ISE, accounting for current capabilities and 
setting the direction and steps towards the envisioned or To-Be 
capabilities. Because the ISE is composed of many organizations, the 
ISE EAF can be looked at as a collection of independent stakeholder 
enterprise architectures[Footnote 26] that were initially designed to 
support individual missions, but are now being leveraged to facilitate 
terrorism-related information sharing among these organizations. In 
doing so, the ISE EAF is to assist in identifying the relationships 
needed to facilitate terrorism information sharing among these 
organizations and is to serve as a tool for understanding what, where, 
and for what purpose current capabilities and resources, such as 
information technology systems, may exist. 

Enterprise architectures generally use strategic planning elements to 
align potential system solutions with program needs. While the ISE EAF 
is intended to augment organizations' enterprise architectures for the 
purpose of sharing terrorism-related information, work remains to 
determine the ISE's desired program outcomes or specific results to be 
achieved, potentially limiting the effectiveness of the ISE EAF in 
guiding the ISE to meet terrorism-related information sharing needs. 
Unlike agency enterprise architectures, the ISE EAF does not seek to 
identify, for example, business processes and information flows at an 
operational level, the level at which organizations determine how 
specific investments in technologies will be used to support business 
needs and provide needed information. Instead, the ISE EAF relies on 
the prerogative of individual departments and agencies to define 
operational processes and information flows as part of their enterprise 
architectures. Officials at the Office of the Program Manager noted 
that OMB and the ISC agencies were very specific about the level of 
detail the ISE EAF was to take, noting that the ISE EAF helps inform, 
but not direct, how departments and agencies do their work at the 
operational level--individually or together. However, without further 
defining outcomes to be achieved and identifying how individual 
agencies are to work together to meet ISE information-sharing needs at 
the level where work is done, the ISE EAF may be limited in its 
usefulness for improving the sharing of terrorism-related information. 

The Program Manager Has Issued the First Annual Report and Is 
Developing Initial Performance Measures, but Neither Can Yet Be Used to 
Determine How Much Progress Has Been Made and What Remains: 

To describe progress in implementing the ISE to date, the Program 
Manager issued an annual report--in response to the Intelligence Reform 
Act's requirement for a yearly performance management report--in 
September 2007 that highlighted individual accomplishments and included 
annual performance goals and has since developed some performance 
measures, but neither effort shows how much measurable progress has 
been made toward implementing the ISE and how much remains to be done. 
In keeping with federal guidance, our work, and the work of others in 
strategic planning, performance measurement, and program management, 
the annual report contained four performance goals for 2008. 
Additionally, some initial performance measures have been developed, 
but they do not address all aspects of the annual performance goals or 
strategic goals and do not show how they represent interim milestones 
to ensure attainment of desired results or outcomes. According to 
officials at the Office of the Program Manager, these performance 
measures are currently being refined in consultation with the ISC to 
provide the needed framework to measure real progress made. We 
acknowledge that creating such measures is difficult, particularly 
since the program is still being designed, but until these measures are 
refined to account for and communicate progress and results, future 
attempts to measure and report on progress will be hampered. 

The Annual Report Cited Accomplishments Made in Implementing the ISE, 
but Not the Extent of Progress Achieved and Remaining Work: 

The annual report conveyed individual ISE-related accomplishments as of 
September 2007 but did not provide Congress and policy makers with 
information on what portion of the ISE has been completed as a result 
of this work and what portion remains. The report lists the preliminary 
actions taken to prepare for establishing the ISE, such as designation 
of the Program Manager, the President's memorandum providing guidelines 
for the ISE, and submission of the implementation plan to the Congress. 
The report also cites individual accomplishments that contribute to the 
ISE, some of which were accomplished under the implementation plan-- 
such as establishment of an electronic directory service for users to 
find contact information for organizations that have counter-terrorism 
missions--and others achieved prior to and or separate from efforts to 
create the ISE. For instance, the report cites several accomplishments 
attained prior to the December 2004 Intelligence Reform Act and its 
call for an ISE, including the creation of the National 
Counterterrorism Center (NCTC) in August 2004 and the establishment of 
the Terrorist Screening Center (TSC) in 2003. In part, because ISE 
implementation remains in the early stages, the annual report 
highlighted these discrete accomplishments without putting them in an 
overall context that showed how much progress has been made and remains 
toward implementing the ISE. While, as previously noted, the 
implementation plan identified a two phased approach for implementing 
the ISE along with 89 action items--the only means presented in the 
implementation plan for tracking completion of ISE implementation--the 
report did not provide a one-for-one reporting on the status of these 
action items as steps for implementing the ISE or identify how much of 
the implementation had been completed. Thus, the Congress and policy 
makers do not yet have the information they need to assess the amount 
and rate of progress, remaining gaps, and the need for any intervening 
strategies. 

Performance Measures Are Being Developed Although They Do Not Yet 
Address All Aspects of the Annual Performance Goals: 

In accordance with existing federal guidance as well as our work and 
the work of others in strategic planning, performance measurement, and 
program management, programs should have overarching strategic goals 
that state the program's aim or purpose, define how it will be carried 
out over a period of time, are outcome oriented, and are expressed so 
that progress in achieving the goals can be tracked and measured. 
Moreover, these longer-term strategic goals should be supported by 
interim performance goals[Footnote 27] (e.g., annual performance goals) 
that are also measurable, define the results to be achieved within 
specified time frames, and provide for a way to measure and track 
annual and overall progress (e.g., through measure and metrics). 
Accordingly, the implementation plan contained six overall strategic 
goals and the annual report contained four annual performance goals for 
2008, as shown in tables 2 and 3. 

Table 2: Strategic Goals Contained in the Implementation Plan: 

1. Facilitate the establishment of a trusted partnership among all 
levels of government, the private sector, and foreign partners. 

2. Promote an information-sharing culture among ISE partners by 
facilitating the improved sharing of timely, validated, protected, and 
actionable terrorism information supported by extensive education, 
training, and awareness programs for ISE participants. 

3. To the maximum extent possible, function in a decentralized, 
distributed, and coordinated manner. 

4. Develop and deploy incrementally, leveraging existing information 
sharing capabilities while also creating new core functions and 
services. 

5. Enable the federal government to speak with one voice on terrorism- 
related matters, and to promote more rapid and effective interchange 
and coordination among federal departments and agencies and state, 
local, and tribal governments, the private sector, and foreign 
partners, thus ensuring effective multi-directional sharing of 
information. 

6. Ensure sharing procedures and policies protect information privacy 
and civil liberties. 

Source: Information Sharing Environment Implementation Plan, November 
2006. 

[End of table] 

Table 3: 2008 Annual Performance Goals Listed in the Annual Report: 

ISE functional areas: Improving sharing practices; 
2008 ISE performance goals: Establish a set of activities and strategic 
approaches to facilitate sharing among all levels of government, 
private sector, and foreign partners. 

ISE functional areas: Creating a culture of sharing; 
2008 ISE performance goals: Develop a shared set of values that change 
behavior of ISE participants through established training programs, 
trained personnel, incentive programs, and privacy protections among 
ISE participants. 

ISE functional areas: Reducing barriers to sharing; 
2008 ISE performance goals: Establish operability that facilitates 
sharing through a common ISE information technology security framework 
to include approved ISE-wide information assurance solutions, 
governmentwide physical and personnel security practices, as well as 
controlled unclassified information framework across the ISE. 

ISE functional areas: Institutionalizing sharing; 
2008 ISE performance goals: Establish capabilities that allow ISE 
participants to create and use quality terrorism-related information by 
improving business processes, developing a common enterprise 
architecture framework, refining common standards, and instituting 
effective resource management for governmentwide programs. 

Source: Annual Report to the Congress on the Information Sharing 
Environment, September 2007. 

[End of table] 

While not reflected in the first annual report, the Program Manager and 
agencies have begun to develop performance measures to improve future 
reporting on progress in implementing the ISE and information sharing 
overall, but these measures focus on counting activities accomplished 
rather than results achieved to show the extent of ISE implementation 
and attaining the ISE's strategic goals. In accordance with our work 
and federal guidance on strategic planning and performance measurement, 
the newly developed measures represent an effort to more concretely and 
quantitatively assess progress in implementing the ISE and improving 
information sharing. The performance measures include, for example, the 
number of ISE organizations with a procedure in place for acquiring and 
processing reports on suspicious activities potentially related to 
terrorism, but not how the reports are used and what difference they 
are making in sharing to help prevent terrorist attacks. Similarly, the 
measures attempt to assess the creation of a culture of sharing by 
tabulating the percentage of relevant ISE organizations that have an 
information-sharing governance body or process in place, but not by 
measuring the outcome--such as how and to what extent cultural change 
is being achieved. Indeed, these measures are an important first step 
in providing quantitative data for assessing progress made in 
information sharing and help to inform Congress and other stakeholders 
on specific information sharing improvements. But, taking the measures 
to the next step--from counting activities to results or outcomes-- 
while difficult, is important to assess results achieved. 

The Program Manager and ISE stakeholders have not yet developed 
measures to address all aspects of the annual performance goals. For 
example, one 2008 performance goal identified in the annual report is 
to establish capabilities that allow ISE participants to create and use 
quality terrorism-related information by improving business processes, 
developing a common enterprise architecture framework, refining common 
standards, and instituting effective resource management for 
governmentwide programs. Based on the description of this performance 
goal, one ISE performance measure that supports this goal includes 
attaining the percentage of applicable ISE organizations that have 
adopted the common terrorism information sharing standards during the 
past or preceding fiscal year(s). However, performance measures in 
support of all topics identified in the goal, such as instituting 
effective resource management for governmentwide programs, have not 
been developed. Further, the performance measures are not presented in 
a way that explains how they represent milestones toward attaining the 
strategic goals or intended outcomes. According to officials at the 
Office of the Program Manager, as of March 2008, they are refining 
their measures in consultation with the ISC to provide an improved 
framework to measure progress made. Yet, our review of a draft of these 
performance measures showed that they continue to focus on counting 
activities accomplished rather than results achieved. We acknowledge 
that creating such measures is difficult, particularly since the 
program is still being designed, but until these measures are refined 
to account for and communicate progress and results, future attempts to 
measure and report on progress will be hampered. 

Conclusions: 

Although the Program Manager and stakeholders have made progress in 
implementing a number of initiatives, successfully implementing the ISE 
remains a daunting task. While efforts to date may represent the 
groundwork needed to facilitate terrorism-related information sharing 
in the future, over 3 years after passage of the Intelligence Reform 
Act, the ISE is still without a clear definition of the specific 
results to be achieved as part of the ISE or the projects, stakeholder 
contributions, and other means needed to achieve these results. The 
Program Manager, together with the ISE stakeholders, have followed 
standard practices in program and project management for defining, 
designing, and executing programs by identifying action items and 
strategic goals to be achieved in the implementation plan. However, 
work remains in, among other things, defining and communicating the 
scope and desired results to be achieve by the ISE, specific milestones 
to achieve the results, and the individual projects and execution 
sequence needed to achieve these results and implement the ISE. Until 
this work is complete, further efforts may result in independent 
contributions to improving information sharing rather than an ISE with 
improved and coordinated sharing of terrorism-related information among 
stakeholders, a critical need exposed by the terrorist attacks of 
September 11. Given that the ISE requires extensive buy-in from 
stakeholders and the Program Manager is relying on stakeholders to 
provide technology and other resources to make the ISE work, it is 
critical to develop a road map for implementing the ISE and improving 
information sharing that communicates the scope and specific results to 
be achieved by the ISE, the key milestones and individual projects 
needed to implement the ISE, needed resources, and stakeholder 
responsibilities. Without such a road map, the Program Manager risks 
not being able to effectively manage and implement the ISE. 

Furthermore, efforts to report on progress to date have provided 
examples of individual actions taken to improve information sharing but 
have not yet included an accounting of how far the Program Manager and 
stakeholder agencies are in achieving an effectively functioning ISE 
and what remains to be done. By not doing so, stakeholders do not have 
a measurable way to ensure that the sharing of terrorism-related 
information has improved and by how much, nor the information needed to 
understand the resources and time frames required to achieve the 
intended results of the ISE. Until the Program Manager and stakeholders 
more fully define the specific results the ISE is to attain and develop 
a set of measures to assess progress in achieving the goals--including, 
at a minimum, what has been done and what remains to be accomplished-- 
Congress and stakeholders will not know how far the nation has come in 
implementing an ISE intended to improve governmentwide information 
sharing. 

Recommendations: 

To help ensure that the ISE is on a measurable track to success, we are 
recommending that the Program Manager, with full participation of 
relevant stakeholders (e.g., agencies and departments on the ISC), take 
the following two actions: 

* more fully define the scope and specific results to be achieved by 
the ISE along with the key milestones and individual projects or 
initiatives needed to achieve these results, and: 

* develop a set of performance measures that show the extent to which 
the ISE has been implemented and sharing improved--including, at a 
minimum, what has been and remains to be accomplished--so as to more 
effectively account for and communicate progress and results. 

Agency Comments and Our Evaluation: 

We requested comments on a draft of this report from the Secretaries of 
Defense, Homeland Security, and State, as well as the Attorney General, 
the Director of National Intelligence, and the Program Manager for the 
ISE or their designees. In a June 6, 2008, letter, the Program Manager 
for the ISE provided written comments, which are summarized below and 
included in their entirety in appendix II. 

The Program Manager generally agreed with our recommendations to more 
fully define the scope and results to be achieved by the ISE and 
develop a comprehensive set of performance measures that show the 
extent to which the ISE has been implemented and sharing improved. 

While the Program Manager agreed with our recommendations, he commented 
that the ISE is a governmentwide transformational effort--emphasizing 
that the ISE is an evolutionary process--and not a traditional 
"program." Therefore, according to the Program Manager, trying to audit 
this interagency initiative strictly within program parameters presents 
problems. We agree that the ISE is a governmentwide transformational 
effort, that it is not a traditional "program," and that it involves an 
evolutionary process. In fact, our report states that the ISE is not 
bounded by a single federal agency or component and that it is a broad- 
based coordination and collaboration effort among various stakeholders. 
While we agree that the ISE is not a traditional "program," in that it 
is not operated and funded by a single department or agency, it is an 
activity that does receive government funding and can be reviewed using 
program and project management principles. As such, we based our 
evaluation of the ISE on a broad set of program and project management 
criteria, including the Government Performance and Results Act of 1993, 
related guidance issued by OMB, and our prior work on results-oriented 
government, program management, and federal coordination and 
collaboration. Further, while we recognize that approaches to 
implementing the ISE and improving information sharing may evolve over 
time as technologies and needs change, calling the ISE an evolutionary 
process does not exempt it from following the practices outlined in our 
report. Following these practices will help ensure that reports of 
progress by the Program Manager on behalf of the ISE at large are based 
on measures of results achieved toward implementing the ISE--that is 
measured based on what the ISE is to be, include, and accomplish in, 
for example, 3 years--rather than ad-hoc claims of progress. 

With regard to efforts for assessing the ISE's progress, the Program 
Manager noted that in the 2007 annual report he introduced a 
performance management approach and his office has since established a 
performance baseline--in the fall of 2007--and measured agencies' 
progress against this baseline through an assessment performed in the 
spring of 2008. Our report acknowledges these efforts. However, our 
review of the performance measures developed in support of the 
performance management approach shows that these measures: (1) focus on 
counting activities accomplished rather than results achieved to show 
the extent of ISE implementation and attaining the ISE's strategic 
goals and (2) are not presented in a way that explains how the measures 
represent milestones toward attaining the strategic goals identified in 
the implementation plan or intended outcomes. In his comments, the 
Program Manager further noted that the June 2008 annual report, which 
was not released by the time we issued this report, would provide more 
current data on performance measurement. However, our review of a draft 
of the measures to be incorporated in the 2008 report showed that they 
continue to focus on counting activities accomplished rather than 
results achieved. Unless the 2008 report corrects these shortfalls and 
establishes a performance management mechanism whereby short-term 
annual goals serve as steps for assessing the ISE's progress towards 
achieving longer-term strategic goals, it and future reports on 
progress will fail to provide the Congress and other policy makers the 
meaningful information needed to understand what progress has been made 
in attaining the defined strategic results for the ISE and improving 
information sharing. 

Finally, the Program Manager said that although the report mentions 
that one of the challenges of the ISE is interagency attention and 
priority to ISE initiatives, the report does not make any 
recommendations in this regard. We agree that interagency collaboration 
in the ISE is a challenge and individual departments and agencies, not 
the Program Manager alone, have responsibilities in implementing the 
ISE. However, to effectively hold these agencies accountable for ISE 
progress, existing issues identified in our report--such as defining 
the outcomes to be achieved and defining clear roles and 
responsibilities--must first be addressed. Given the ISE's many 
stakeholders and recognizing the Program Manager's key leadership role 
for managing the ISE, we maintain that these issues must be addressed 
by the Program Manager, with full participation of relevant 
stakeholders (e.g., agencies and departments on the ISC). Without doing 
so, the Program Manager may continue to face challenges in attaining 
agency buy-in and holding stakeholders accountable for ISE progress. 

Officials in the Office of the Program Manager also provided technical 
comments on the draft that have been incorporated, as appropriate. 

The Secretaries of Defense, Homeland Security, and State; the Attorney 
General; and the Director of National Intelligence responded that they 
did not have any comments on the report. 

As agreed with your offices, unless you publicly release the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. We will then send copies of this report to the 
Program Manager for the ISE, the Director of National Intelligence, and 
the Secretaries of the Departments of Defense, Homeland Security, 
Justice, and State; and interested congressional committees. In 
addition, this report will be available at no charge on the GAO Web 
site at [hyperlink, http://www.gao.gov]. 

If you or your staff have any questions concerning this report, please 
contact either Eileen Larence at 202-512-8777 or larencee@gao.gov, or 
David Powner at 202-512-9286 or pownerd@gao.gov. Contact points for our 
Office of Congressional Relations and Public Affairs may be found on 
the last page of this report. GAO staff who made major contributions to 
this report are listed in appendix III. 

Signed by: 

Eileen R. Larence: 

Director, Homeland Security and Justice Issues: 

Signed by: 

David A. Powner: 

Director, Information Technology Management Issues: 

List of Congressional Requesters: 

The Honorable Joseph Lieberman: 
Chairman: 
The Honorable Susan Collins: 
Ranking Member: 
Committee on Homeland Security and Government Affairs: 
United States Senate: 

The Honorable Daniel K. Akaka: 
Chairman: 
Subcommittee on Oversight of Government Management, the Federal 
Workforce and the District of Columbia: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Bennie G. Thompson: 
Chairman: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Jane Harman: 
Chair: 
Subcommittee on Intelligence, Information Sharing, and Terrorism Risk 
Assessment: 
Committee on Homeland Security: 
House of Representatives: 

[End of section] 

Appendix I: Status of Phase I Action Items as of March 1, 2008: 

Table 1 below provides the status of each of the 48 Phase 1 action 
items identified in the ISE implementation plan as of July 9, 2007, 
nine days after their planned completion date and as of March 1, 2008. 
These action items encompass many areas for development in the ISE, 
ranging from activities such as identifying capabilities and technology 
to privacy protection and performance measures. As the table indicates, 
based on our analysis of status information reported by the Program 
Manager, at the end of phase one's scheduled completion, 18 of 48 
action items had been completed and 30 remained incomplete. Eight 
months later, 33 of 48 action items had been completed, with 15 
remaining incomplete. In determining the status of the action items, we 
reviewed documentation provided by the Program Manager, but did not 
evaluate the effectiveness of the actions taken. 

Table 4: Comparison of Action Item Status in July 2007 and March 2008: 

Action item: 1.01 The Program Manager for the Information Sharing 
Environment (PM-ISE) and Information Sharing Council (ISC) members will 
identify the alerts and notifications to be available to federal and 
non-federal ISE participants and the enabling policies and business 
processes necessary to implement the alert and notification capability. 
(Planned completion: March 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: An initial survey of alerts 
and notifications has been conducted to identify, among other things, 
the alerts and warnings that departments and agencies provide to ISE 
partners as well as the method for distributing the alerts and 
notifications. According to officials at the PM-ISE, ISC agency 
representatives are validating this survey and preliminary findings, 
with draft information flows for major alerts and warnings functions 
being developed for potential including in the next published version 
of the Information Sharing Environment Enterprise Architecture 
Framework (ISE EAF). These officials further noted that expected future 
activities include further assessing the remaining ISC agencies' alerts 
and warnings efforts, surveying state, local, and tribal participants, 
and developing an ISE-wide framework for terrorism-related alerts, 
warnings, and notifications. 

Action item: 1.02 The PM-ISE and ISC members will identify existing 
technologies, capabilities, and programs (e.g., Homeland Security 
Presidential Directive-12 and Federal Information Processing Standard 
201) that provide easier user access, but still support identity 
management through audits, authentication, and access controls. The ISC 
will assess the technologies and pilot programs to determine whether or 
not the technologies support its user base and are suitable for ISE 
adoption. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: According to PM-ISE 
officials, the action specified in Task 1.02 did not adequately support 
the needs of the ISE, resulting in an altered approach for addressing 
identity management and user access across the ISE. PM-ISE officials 
told us that existing identity management solutions support the 
individual participant's mission needs, but the many differing identity 
management schemes throughout the ISE participants' networks do not 
directly support the ISE as a whole. Therefore, the ISE expects to 
leverage existing identity management schemes, but not create a new 
identity management solution specific to the ISE. Accordingly, in 
December 2007, the PM-ISE's Business Process Working Group produced the 
Business Process Analysis Paper on Access Process. This paper 
identified five requirements to enable ISE user access to terrorism- 
related information. According to PM-ISE officials, these requirements 
are being incorporated into ISE architecture documents and are expected 
to enable departments and agencies to derive lower level requirements. 
Further, according to officials, this paper is being used in an ongoing 
initiative to evaluate PM-ISE sponsored pilots that demonstrated 
capabilities in remote wireless access, federated identity management 
(referenced in Action 1.03) and role-based search. 

Action item: 1.03 The PM-ISE and ISC members will determine what ISE- 
wide identity management capabilities are practical and develop a 
detailed set of requirements and Project Plan for implementation of 
such capabilities in a time frame consistent with technology maturity 
and available budgetary resources. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: The PM-ISE is currently 
sponsoring a pilot project on identity management and access intended 
to demonstrate an initial capability to share electronic identity 
information and use that information to enable assured access to 
information stored across the different ISE communities. According to 
PM-ISE officials, the pilot is building an operational, federated 
access management capability by leveraging existing identity management 
solutions and evaluating technologies, policies, and procedures for 
potential ISE identity management solutions. The completion of the 
pilot is expected to result in documenting which identity management 
capabilities may provide the most value to the ISE. 

Action item: 1.04 The PM-ISE and ISC members will investigate existing 
or emerging capabilities that discover data and information within the 
federal government and industry. The initial implementation of 
enterprise search will apply a search engine to index both structured 
and unstructured data. This activity will include the evaluation of 
several ongoing pilot programs using technologies that integrate data 
across heterogeneous networks and data stores to enhance the 
"findability" of relevant information and the interoperability of data 
and information. (Planned completion: June 2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.05 The PM-ISE and the ISC will work with the Cross 
Domain Management Office to establish a process to ensure that cross- 
domain solutions developed through this office meet the needs of ISE 
participants. (Planned completion: March 2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.06 The PM-ISE and ISC members will identify existing 
collaborative tools that are used and operational in the 
counterterrorism or other analytic or investigative communities and 
review the feasibility of adopting common tools for use across the ISE. 
(Planned completion: March 2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.07 The PM-ISE and ISC members will develop requirements 
to implement new and emerging collaborative technologies. (Planned 
completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: A Business Process Analysis 
paper on the Collaboration Process, dated October 1, 2007, has been 
developed. The stated purpose of the document includes conveying key 
user requirements, implementation considerations, and describing a 
future-state process description for the ISE Collaboration Process. 
According to officials at the office of the PM-ISE, this paper was 
disseminated to the Business Process Working Group in December 2007 as 
part of a larger analysis of ISE service processes. They further noted 
that the requirements identified through this effort are being 
incorporated into the ISE EAF documents. 

Action item: 1.08 The PM-ISE and the ISC members will implement the 
Electronic Directory Services Blue, Yellow, and Green Pages in the 
sensitive compartmented information, secret, and sensitive but 
unclassified security domains. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete; 
(Note: The PM-ISE subsequently altered this action item, deciding it 
would no longer complete the Green Pages in the sensitive-but- 
unclassified security domain due to aggregation issues. According to 
officials at the Office of the PM-ISE, aggregating the information for 
the Green Pages would no longer enable the information to be posted in 
an unclassified domain.) 

Action item: 1.09 The PM-ISE and the ISC members will implement 
Electronic Directory Services White Pages in the secret compartmented 
information and secret security domains. (Planned completion: June 
2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete; 
(Note: The ISC altered this action item, deciding it would no longer 
complete the White Pages in the secret security domain). 

Action item: 1.10 The PM-ISE, in consultation with the ISC, will 
publish a preliminary version of the ISE Enterprise Architecture 
Framework (ISE EAF) Document providing the models with major portions 
of the ISE and their attributes. (Planned completion: December 2006); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.11 The Office of Management and Budget, in the Federal 
Enterprise Architecture (FEA) Business Reference Model, will include 
"Information Sharing" as a new government subfunction, Business 
Reference Model code 143, with the "Information and Technology 
Management" Line of Business, Business Reference Model code 404. 
(Planned completion: December 2006); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete; 
(Note: Action item 1.11 is complete, except the code 143 is actually 
262.) 

Action item: 1.12 The PM-ISE will work with National Security Agency, 
the National Institute of Standards and Technology, Director of 
National IntelIigence/Chief Information Officer, and the Committee on 
National Security Systems on incorporating network security and 
information assurance policies and practices for the ISE EAF and 
associated functional standards. (Planned completion: March 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.13 The PM-ISE, in consultation with the ISC, will 
publish a fully documented ISE EAF Document and a Federal Enterprise 
Architecture-ISE profile. The development process will be worked in 
collaboration with the Office of Management and Budget, department and 
agency chief information officers, and ISC members. (Planned 
completion: March 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: Version 1.0 of the ISE EAF 
has been published and a draft version of the ISE profile has been 
developed and is undergoing review by the Chief Information Officers 
Council as a formal FEA Profile in the E-Gov program. Officials at the 
Office of the PM-ISE noted that an approval letter for the FEA Profile 
is pending signature by the Office of Management and Budget. 

Action item: 1.14 The PM-ISE, in consultation with the ISC, will 
develop a configuration management process for the control and 
management of updates to the ISE EAF document and Federal Enterprise 
Architecture-ISE profile. (Planned completion: December 2006); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.15 The Office of Management and Budget, in the Federal 
Enterprise Architecture Reference Models, will add the ISE EAF and the 
Federal Enterprise Architecture-ISE profile as compliance requirements 
in the Federal Transition Framework, a catalog of cross-agency 
initiatives, and the Federal Enterprise Architecture Program: 
Enterprise Architecture Assessment Framework, the maturity assessment 
guide for Federal enterprise architectures. (Planned completion: March 
2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.16 DHS will work with the PM-ISE to review existing 
policies and procedures for ascertaining relevant and effective 
approaches to migrate the ISE EAF models and attributes into the 
private sector. (Planned completion: June 2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.17 The PM-ISE will convene and chair a new working 
group, the Common Terrorism Information Sharing Standards Working 
Group, with representatives from all ISC members, the National 
Communications System, the National Institute of Standards and 
Technology (NIST), and the Committee on National Security Systems 
tasked with selecting and issuing information-sharing standards, 
approved through the ISC, and formally published by NIST. The Common 
Terrorism Information Sharing Standards may include new standards that 
agencies will introduce to affect on-going investment activities as 
project schedules and funding permit. Future funded investments 
incorporating the Common Terrorism Information Sharing Standards will 
be compatible with the federal enterprise architecture and national 
security system enterprise architectures, and identified in normal 
agency submittals to the Office of Management and Budget. The Common 
Terrorism Information Sharing Standards Working Group will issue common 
terrorism information sharing standards recommendations to the ISC for 
information sharing standards for non-federal government agencies. 
(Planned completion: December 2006); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.18 Departments and agencies will begin to incorporate 
the common terrorism information sharing standards into investment 
planning, consistent with ISE EAF incorporation, with full common 
terrorism information sharing standards incorporation into investments 
beginning execution in fiscal year 2009. This will include both civil 
and national security system investments. Agencies will also 
incorporate the common terrorism information sharing standards into 
information resource lifecycle processes to include capital planning 
and investment control processes. The common terrorism information 
sharing standards will provide the source of functional standards for 
information sharing in the Federal Enterprise Architecture's Technical 
and Data Reference Models. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: In December 2006, the Office 
of Management and Budget released the Federal Transition Framework 
Version 1.0. The Office of Management and Budget described the Federal 
Transition Framework as a single source for clear and consistent 
information describing government-wide information technology policy 
objectives and cross-agency initiatives, such as the E-Gov and line of 
business initiatives. According to officials at the Office of the PM-
ISE, having the ISE descriptions in the Federal Transition Framework 
was a first step in ensuring that the PM-ISE and the Common Terrorism 
Information Sharing Standards are part of each agency's capital 
planning and investment control investment life-cycle; In October 2007 
the Common Terrorism Information Sharing Standards Program Manual, 
Version 1.0 was published. According to PM- ISE officials, they plan to 
conduct ISE management reviews (IMRs) with departments and agencies to 
assess if departments and agencies have incorporated the Common 
Terrorism Information Sharing Standards into investment planning. These 
reviews are expected to occur in April or May of 2008. PM-ISE officials 
further noted that they, in conjunction with the Office of Management 
and Budget, plan to conduct enterprise architecture reviews with 
departments and agencies in March 2008 that, in part, are based on the 
Federal Transition Framework Catalog. 

Action item: 1.19 The PM-ISE, in consultation with the ISC, will 
develop the common terrorism information sharing standards, version 2.0 
addressing additional processes, including those with foreign partners, 
and releasing priority functional standards supporting suspicious 
activity reports, cargo management and tracking, and general identity 
management. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: The Common Terrorism 
Information Sharing Standards Program Manual, Version 1.0, was 
published in October 2007. According to PM-ISE officials, specific 
functional standards will be developed and published as required. 
According to officials at the Office of the PM-ISE, efforts to date 
include: development of functional standards for ISE suspicious 
activity reports;; coordination of cargo management and tracking 
standards currently underway; and; efforts to evaluate identify 
management technologies and processes remain underway through the 
Identity Management Pilot. Best practices and recommendations are to be 
developed as a result of this pilot and are intended to lead to the 
development of functional standards, as appropriate; According to PM- 
ISE officials, efforts to coordinate with foreign partners will 
commence with the initiation of the second phase of the Foreign 
Government Information Sharing Working Group and Guideline 4 efforts. 

Action item: 1.20 Within 30-days of approval of the proposed Guideline 
2 framework, the PM-ISE, in consultation with the ISC, will establish a 
Senior Level Advisory Group--consisting of ISC members or their 
designees--to ensure accountability, oversight, and governance for the 
effective operation of the framework. The advisory group will report 
the results of its oversight to the PM-ISE and the ISC. The advisory 
group will meet at least once per month during the first year of 
implementation. (Planned completion: December 2006); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.21 Within seven days of approval of the proposed 
framework, there will be established an implementation team--comprised 
of representatives from the Department of Defense; the Department of 
the Interior; the Department of Homeland Security; the Federal Bureau 
of Investigation; the National Counterterrorism Center; appropriate 
state, local, tribal, and private sector advocates; and the PM-ISE--to 
develop an implementation plan for the Interagency Threat Assessment 
and Coordination Group framework and to ensure its timely execution. 
The implementation team will develop and implement plans to notify 
state, local, and tribal officials of the Interagency Threat Assessment 
and Coordination Group's mission and responsibilities. (Planned 
completion: December 2006); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.22 The Interagency Threat Assessment and Coordination 
Group implementation team will submit semiannual reports to the PM-ISE 
that identify successes and shortcomings in implementing and operating 
the ISE within the Guideline 2 framework and outline steps to refine 
and improve the framework's operation. (Planned completion: Ongoing 
with first report due in the first quarter of Calendar Year 2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.23 The PM-ISE will establish a federal fusion center 
coordination group to identify federal resources to support the 
development of a network of state-sponsored fusion centers charged to 
share information at all levels of the ISE and will recommend funding 
options. (Planned completion: December 2006); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.24 The Department of Justice and the Department of 
Homeland Security will work with governors or other senior state and 
local leaders to designate a single fusion center to serve as the 
statewide or regional hub to interface with the federal government and 
through which to coordinate the gathering, processing, analysis, and 
dissemination of terrorism information. (Planned completion: March 
2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.25 The Department of Justice and the Department of 
Homeland Security, to the extent possible and practicable, will assume 
the responsibility for technical assistance and training to support the 
establishment and operation of these fusion centers. (Planned 
completion: March 2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.26 Appropriate federal departments and agencies will 
assess resources and develop and coordinate plans to assign 
representative personnel to state and local fusion centers. These 
representatives will work to the extent possible to further integrate-
-and where appropriate collocate--federal and state/regional resources. 
(Planned completion: March 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: A DHS/FBI Joint Deployment 
Plan was drafted in response to this action item, but remained in draft 
form at the end of Phase 1. This deployment plan is seen as a first 
step with additional coordination with stakeholders remaining to fully 
address this action item. 

Action item: 1.27 The Private Sector Subcommittee will produce a plan 
that implements elements of the framework as it affects the private 
sector. This plan must be consistent with statutes and presidential 
direction and ensure that information and privacy and legal rights are 
adequately protected. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: A plan for implementing this 
action item was not in place by the end of Phase 1. However, several 
steps were taken towards meeting this action item. For example, DHS and 
members of the Critical Infrastructure Partnership Advisory Council 
jointly established a working group on information-sharing. The PM-ISE 
stated that this working group is expected to be the ISC conduit into 
the Critical Infrastructure Partnership Advisory Council and its 
private sector members, consisting of designated representatives from 
all the critical infrastructure and key resources sectors. The 
responsibilities of this working group are expected to include 
supporting the universe of government information- sharing initiatives 
coordinated by the PM-ISE that require engagement with the private 
sector (critical infrastructure and key resources owner/operator 
representatives) under the Critical Infrastructure Partnership Advisory 
Council structure. Further, an initial framework for private sector 
participation was drafted. 

Action item: 1.28 The Foreign Government Information Sharing Working 
Group, with coordination and assistance from the PM-ISE, will develop 
recommendations on Privacy Act systems of records notices and routine 
uses for the Guideline 5 Working Group. (Planned completion: March 
2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.29 The Foreign Government Information Sharing Working 
Group, with coordination and assistance from the PM-ISE, will develop a 
checklist of issues that need to be taken into account in negotiating 
international agreements, including privacy protections and possible 
review procedures. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.30 Federal departments and agencies, with coordination 
and assistance from the PM-ISE, will encourage bilateral and 
multilateral efforts whenever feasible and appropriate to develop "best 
practices" on terrorism information sharing (e.g., protocols on what to 
do if there is a "hit"). (Planned completion: Ongoing with a first 
progress report in the second quarter of Calendar Year 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: Work towards this action 
item was underway at the end of phase 1. For example, according to 
officials at the Office of the PM-ISE, work towards establishing a 
baseline on information-sharing agreements was underway. Further, an 
initial progress report on this effort is expected to be provided as 
part of an overall project plan from implementation guideline 4, which 
addresses facilitating information- sharing with foreign partners. 

Action item: 1.31 The Department of State's Foreign Service Institute, 
supported by the working group of ISC training representatives, will 
develop the core training module that will serve as the common 
educational baseline for the ISE. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: Development of the core 
training module to serve as the common educational baseline for the ISE 
has been underway. To date, the Foreign Service Institute and ISC have 
undergone several iterations of review and comment on draft versions of 
the training course. According to PM-ISE officials, a November 2007 
review of the course by the ISC led to further revision and updating of 
the course outline and content, with the intent to incorporate 
additional computer based training capabilities. Also, in February 2008 
a focus group met to further revise the course content and structure. 

Action item: 1.32 The PM-ISE, in consultation with the ISC, will review 
departmental incentives for sharing of terrorism information and will 
measure their effectiveness. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: According to a PM-ISE status 
report on the identification of incentives for information-sharing, the 
PM-ISE is in the process of developing guidance to federal departments 
and agencies to assist them, where necessary, in expanding current or 
developing new capabilities to recognize efforts that further promote a 
culture of terrorism information sharing across federal agencies and 
non-federal government entities. Also, an initial measure to identify 
whether or not departments and agencies have adopted incentives for 
sharing has been developed. As an initial step towards assessing the 
effectiveness of these incentives, the PM-ISE is also seeking to 
collect information on how best practices for incentives have been 
shared. 

Action item: 1.33 Each agency will ensure that one or more ISE Privacy 
Officials are designated in accordance with paragraph 12.a of the 
privacy guidelines. (Planned completion: December 2006); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.34 The PM-ISE will establish and designate a chair for 
the ISE Privacy Guidelines Committee. (Planned completion: December 
2006); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.35 The PM-ISE, in consultation with the ISE Privacy 
Guidelines Committee and the ISC, will establish a process for ensuring 
that non-Federal organizations participating in the ISE implement 
appropriate policies and procedures that provide protections that are 
at least as comprehensive as those contained in the Guidelines. 
(Planned completion: March 2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.36 The ISE Privacy Guidelines Committee will provide an 
assessment of the privacy and civil liberties protections of the ISE, 
including actions taken in the preceding year to implement or enforce 
privacy and civil liberties protections, to be included in the 
President's first annual ISE performance report. (Planned completion: 
June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.37 The Guideline 3 Coordinating Committee will complete 
its work and submit recommendations for sensitive but unclassified 
standardization through the White House policy process to the Assistant 
to the President for Homeland Security and Counterterrorism and the 
Assistant to the President for National Security Affairs. (Planned 
completion: March 2007); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.38 To align timelines, the PM-ISE will work with ISC 
members and other partners to establish cut-off dates for the yearly 
ISE performance management reports. (Planned completion: March 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.39 Federal departments and agencies will use their 
information sharing and terrorism-related Fiscal Year 2006 goals, 
measures, and outcomes as input to the ISE Performance Management 
Report. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete; 
(Note: According to officials at the Office of the PM-ISE, federal 
departments and agencies will be expected to use the performance 
management framework defined in the 2007 annual report to management 
information sharing performance in 2008.) 

Action item: 1.40 Federal departments and agencies will reflect ISE 
goals in their individual performance management plans. (Planned 
completion: March 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: While departments and 
agencies provided examples of terrorism-related information sharing 
accomplishments they have participated in, reflecting ISE goals in 
individual department and agency performance management plans remains a 
work in process. 

Action item: 1.41 Federal departments and agencies will specify support 
to the ISE as part of their strategic plans and performance management 
efforts for the 2006-2007 cycle. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: The September 2007 annual 
report contained the first set of ISE performance goals. Performance 
management efforts at individual departments and agencies have 
incorporated elements of these goals. For example, as reported to the 
PM-ISE, 10 of 12 ISE related departments and agencies responding the 
Program Manager's request for baseline information reported that they 
have established governance bodies specifically to handle information 
sharing issues. 

Action item: 1.42 Federal departments and agencies will work with the 
PM-ISE to develop specific ISE-wide program outcome goals and measures 
(performance measures and threshold values), as appropriate, for the 
goals listed in Section 1.5. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Not complete but in process; 
Description of status as of March 1, 2008: The September 2007 annual 
report contained the first set of annual performance goals for the ISE. 
Work remains in developing outcome oriented goals and measures for the 
ISE. Nevertheless, performance measures, with ISC contributions, were 
developed and distributed to agencies for a baseline assessment in 
September of 2007. These measure have been further refined for use the 
Spring 2008 assessment and are expected to inform the June 2008 Annual 
Performance Management Report. 

Action item: 1.43 Federal departments and agencies will provide their 
mid-year reviews of goals and measures to the PM-ISE (midyear reviews 
are required by the Information Sharing Guidelines and Requirements). 
(Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete; (Note: According 
to PM-ISE officials, this action item was met by completing the ISE's 
initial baseline assessment of goals and measures conducted in Fall 
2007.) 

Action item: 1.44 The PM-ISE, in coordination with the Office of the 
Director of National Intelligence, will illustrate interdependencies 
through a "crosswalk" of the ISE, National Intelligence Strategy, and 
National Implementation Plan goals and measures. The "crosswalk" will 
be completed by or before December 2006. (Planned completion: December 
2006); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.45 The PM-ISE and ISC members will develop performance 
objectives and measures, in cooperation with state, local, and tribal 
and private sector subcommittees, to address progress against the 
Guideline 2 framework. (Planned completion: June 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.46 The PM-ISE will support the Office of Management and 
Budget, which will provide federal departments and agencies with budget 
guidance for fiscal year 2008. (Completed: September 2006); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.47 The PM-ISE will work with the Office of Management 
and Budget during the fall budget process to review federal 
departments' and agencies' investments with ISE priorities and the 
Office of Management and Budget will provide additional budget guidance 
to departments and agencies, as appropriate. (Planned completion: 
December 2006); 
Status as of July 9, 2007: Complete; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Action item: 1.48 The PM-ISE, with support from the Office of 
Management and Budget and the ISC, will begin planning for subsequent 
budget cycles. (Planned completion: March 2007); 
Status as of July 9, 2007: Not complete but in process; 
Status as of March 1, 2008: Complete; 
Description of status as of March 1, 2008: Complete. 

Total complete; 
Status as of July 9, 2007: 18; 
Status as of March 1, 2008: 33; 
Description of status as of March 1, 2008: [Empty]. 

Total not complete; 
Status as of July 9, 2007: 30; 
Status as of March 1, 2008: 15; 
Description of status as of March 1, 2008: [Empty]. 

Source: GAO analysis based on the Program Manager's reporting. 

[End of table] 

[End of section] 

Appendix II: Comments from Office of the Program Manager for the 
Information Sharing Environment: 

Office Of The Director Of National Intelligence Program Manager, 
Information Sharing Environment: 

Washington, DC 20511: 

6 June 2008: 

Ms. Eileen Larence: 
Director, Homeland Security and Justice Issues: 
U.S. Government Accountability Office 441 G Street, N.W.: 
Washington, DC 20548: 

Dear Ms. Larence: 

The PM-ISE appreciates the efforts of GAO in developing this assessment 
of the Information Sharing Environment, GAO-08-492. We have worked 
closely with your very good team throughout this audit and will 
continue to make every effort to accommodate the principal GAO 
recommendations to (1) "more fully define the scope and results to be 
achieved by the ISE and (2) develop a comprehensive set of performance 
measures that show the extent to which the ISE has been implemented and 
sharing improved." 

Your report attempts to present the ISE Implementation Plan (November 
2006) actions in summary fashion. I suggest that a more up-to-date 
status report on the ISE can be found in the 2008 ISE Annual Report to 
Congress (June 2008), which is more current than the data used for this 
report. The Office of the PM-ISE has now had three years' experience 
working the information sharing problem. We are pioneering, at least 
within the Federal Government, in building a true, extensive government-
wide information sharing environment. No one, to my knowledge, has 
attempted this before. No one, to my knowledge, knows with certainty 
the correct path, or sees a clear end state of the ISE. Indeed, there 
is no end state in the true meaning of that term, only a vision. 

Of course, many of the principles and practices of program management 
cited in this report correctly apply to the ISE. But, I do not need to 
emphasize to you that there is no "school solution" to the problem of 
information sharing; one size does not fit all; and implementation 
plans must be flexible and dynamic to adjust to the unforeseen and the 
unintended. 

In retrospect, I deem it a PM-ISE responsibility to convey a better 
appreciation to GAO for the evolutionary nature of these activities and 
for what actually has been accomplished in the two particular areas 
cited in this report. However, I also caution that the ISE is not a 
traditional "program" as the report describes, and therefore trying to 
audit an interagency initiative strictly within program parameters 
presents problems. We are not suggesting that the Program Manager or 
the Interagency should not be held responsible and accountable for 
progress, but rather, that trying to audit the ISE as if it were a 
formal "program" with clearly identified resources can distract 
decision and policy makers from understanding actual progress, as well 
as existing impediments. 

Scope of the ISE—"What the ISE is to include":  

I would emphasize that the ISE is an evolutionary process that requires 
attention to both structure and function. ISE stakeholders have been 
involved in the incremental development of processes, protocols and 
technology standards that have been documented in a series of 
publications -- key aspects of which are summarized here to facilitate 
the task of communicating a better understanding of the full scope and 
purpose of the ISE. These include the foundations, vision, and purpose 
for the ISE, as well as a description of the framework and the process 
invoked to build the ISE. 

Foundations: The foundations of the ISE were set forth in the 
President's information sharing guidelines and requirements, refined in 
the ISE Implementation Plan (IP), and fully synthesized in the National 
Strategy for Information Sharing (NSIS). The President's guidelines 
described ISE capabilities in terms of interrelated policies, business 
processes, standards, and systems, which together constitute the 
sharing environment envisioned in the Intelligence Reform and Terrorism 
Prevention Act (IRTPA) and the NSIS. The NSIS recognizes progress made 
in information sharing to date and describes the Administration's 
"expectations and plans for achieving improvements in the gathering and 
sharing of information related to terrorism." It also reaffirmed the 
vision, goals, and strategies embodied in the ISE Implementation Plan, 
while acknowledging that today's sharing environment serves as a 
platform from which to continuously improve the sharing of terrorism-
related information among all levels of government, the private sector, 
and foreign partners. 

Vision: The critical question addressed by PM-ISE in developing the 
future ISE was how best to deliver this vision of the environment—of "a 
trusted partnership between all levels of government in the United 
States, the private sector, and our foreign partners, to detect, 
prevent, disrupt, preempt, and mitigate the effects of terrorism 
against the territory, people, and interests of the United States of 
America by the effective and efficient sharing of terrorism 
information." The challenge lay in reconciling myriad policy, process 
and technology differences among multiple organizations tasked to 
perform a variety of disparate missions. These differences posed real 
impediments to ISE success, including conflicting or incompatible 
policies, processes, and procedures for information classification, 
access vetting, security and privacy; incompatible or non-interoperable 
legacy systems and data formats; conflicting approaches to information 
sharing; and conflicting management structures for overseeing 
information sharing partners. With these challenges in mind, PM-ISE, in 
consultation with the Information Sharing Council, has pursued the 
following clearly defined purpose for the ISE. 

Purpose: The purpose of the ISE is to rationalize, standardize, and 
simples the policies, business processes, standards, and systems used 
to share information. Although the ISE strives to achieve as much 
uniformity as possible, actual implementation varies from community to 
community due to disparate mission needs and the immediate capabilities 
of each. By way of example, State and local processes and policies will 
not be identical to those of the Federal Government; nor will the needs 
of most cities be the same as those of major urban areas. Accordingly, 
rather than striving to develop identical implementation across the 
ISE, the intent has consistently focused on being able to achieve the 
best possible capabilities—based on a common framework supplemented by 
mutually agreed, mostly common policies, business processes, standards, 
and systems—but flexibly tailored to diverse ISE participant 
requirements. 

Requirements: 

In an evolutionary process without a fixed end point, policies, 
business processes, standards, and systems all have to be regularly 
reviewed and refreshed—through discrete phases or maturity levels—from 
"ad hoc" to "managed" to "defined," and ultimately, to "optimized." The 
current state of the ISE is that it is moving from "managed" to 
"defined" as a result of the significant steps taken to break down 
barriers and improve sharing practices in selected critical areas. To 
reach the "optimized" phase, organizational cultures must progress to a 
point where sharing is fully institutionalized and ingrained into all 
aspects of day-to-day operations. 

The ISE Implementation Plan (which formed the basis for the majority of 
the GAO conclusions and recommendations in this report), is a 
particularly useful document that accomplished its intended purpose—to 
prepare the effort of building the ISE. The ISE Implementation Plan was 
not intended, however, to control every step made in furtherance of the 
ISE. It was a plan to implement a vision, not to complete a program. 

What made sense in the 2006 plan requires reassessment and modification 
at each juncture in the development process. That plan was developed in 
response to a number of drivers. Among them was the need: 

* to further define and scope the ISE; 

* to identify a course of action that was timely and strategically 
responsive to Congress (IRTPA) and the President (Guidelines and 
Requirements); 

* to meet immediate, tactical requirements of ISE participants – 
federal, state, local, tribal governments, the private sector, and 
foreign allies and partners; 

Creating the ISE defined by Congress—an "approach that facilitates the 
sharing of terrorism information "—required the PM-ISE to establish a 
plan to incrementally examine the full range of available, but 
evolving, technology, policy and governance structures, and the 
dimensions of structural transformation. Absent any specific ownership 
of the information sharing problem – it requires highly decentralized 
systems and networks capable of serving the full range of ISE 
stakeholders with the equities of each taken into account.

Performance Measures – what has been achieved: 

Progress in implementing the ISE is a function of four steps: (1) 
identifying, prioritizing, and measuring continuous improvements to ISE 
capabilities by modifying processes or creating new ones; (2) issuing 
guidance and standards to ISE participants; (3) providing demonstrable 
evidence of the effects of these changes through selected information 
sharing pilots and evaluation environments; and (4) incorporating these 
improvements into established government resource management processes. 
The following paragraphs describe how ISE progress is being measured 
and how it influences department and agency investment strategies. 

PM-ISE introduced a performance management approach in the 2007 Annual 
Report to Congress to systematically assess ISE implementation, 
identify improvement opportunities, comply with applicable mandates, 
and bolster long-term, sustainable performance management. This 
approach aligns ISE performance measurement areas to each of the 2008 
Performance Goals, which in turn are aligned to the four ISE functional 
areas presented in the 2008 Annual Report. PM-ISE developed 2008 
Performance Goals for each of the functional areas to articulate the 
expected results of ISE implementation, and established measurement 
areas, including a suite of both current and planned measures, to 
demonstrate progress for each of the Performance Goals. Using that 
approach and the performance measures, PM-ISE established an ISE 
baseline of performance in fall 2007, and measured agencies' progress 
against this baseline through an assessment performed in spring 2008. 
The result provided better insight into how the ISE fared in response 
to the 2008 Performance Goals. Performance goals for 2009 have also 
been revised to ensure alignment with relevant ISE IP and NSIS themes. 

For the first time, the fall 2007 and spring 2008 performance 
assessments provided the PM-ISE with fact-based data to support 
decisions and report ISE implementation progress against the 
information sharing mandates of IRTPA, the 9/11 Commission Act, the 
President's Guidelines and Requirements, and the NSIS. The 
comprehensive set of performance measures required to assess ISE 
implementation as well as improvements in the state of information 
sharing were developed in conjunction with ISE stakeholders. The 2008 
ISE Performance Goals reflect corresponding ISE functional areas and 
provide the target levels of performance against which actual 
achievement can be compared. These performance measures are now being 
applied successfully; each is reported more fully in the 2008 Annual 
Report to Congress. 

Conclusion: 

There is mention in the report that one of the challenges of the ISE is 
interagency attention and priority to ISE initiatives. However, there 
is no accompanying recommendation that, as the President clearly 
delineated in his December 2005 Guidelines and Requirements Memorandum 
(addressed directly to "Heads of Executive Branch Departments and 
Agencies), and then re-emphasized in his October 2007 NSIS, that such 
"heads of executive departments and agencies must actively work to 
create a culture of information sharing within their respective 
departments or agencies by assigning personnel and dedicating resources 
to terrorism information sharing, by reducing disincentives to such 
sharing, and by holding their senior managers and officials accountable 
for improved and increased sharing of such information." Agencies and 
their leaders must be evaluated and held directly accountable for ISE 
progress and they must put effective information sharing strategies and 
programs in place within their agencies. 

The ISE is a government-wide transformational effort that needs to be 
evaluated as such. It must not be looked at as simply a project or 
program of the PM-ISE. This is not to say that programmatic evaluations 
are not useful, helpful, and necessary in a broader evaluation of the 
ISE effort; they are. But they are not sufficient. 

We appreciate the opportunity to work with you on this assessment and 
look forward to a continued dialog. 

Sincerely,

Signed by: 

Thomas E. McNamara: 

[End of section] 

Appendix III: GAO Contacts and Acknowledgments: 

GAO Contacts: 

Eileen R. Larence (202) 512-8777 or larencee@gao.gov, or David A. 
Powner at 202-512-9286 or pownerd@gao.gov: 

Acknowledgments: 

In addition to the contact named above, Susan H. Quinlan, Assistant 
Director; Richard Ascarate; Jason Barnosky; Amy Bernstein; Joseph Cruz; 
Thomas Lombardi; Lori Martinez; and Marcia Washington made key 
contributions to this report. 

[End of section] 

Footnotes: 

[1] These actions included issuance of the National Strategy for 
Homeland Security, the National Strategy to Secure Cyberspace and the 
National Strategy for the Physical Protection of Critical 
Infrastructures and Key Assets; issuance of Homeland Security 
Presidential Directives 6 and 7, calling, respectively, for the 
consolidation of the government's approach to terrorism screening and a 
national policy for identifying and prioritizing critical 
infrastructures and key resources and protecting them from terrorist 
attacks, among other things; and the enactment of legislation calling 
for, among other things, efforts to facilitate the sharing of terrorism-
related information. See Intelligence Reform and Terrorism Prevention 
Act of 2004 (Intelligence Reform Act), Pub. L. No. 108-458, 118 Stat. 
3638; Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 
2135. 

[2] See Pub. L. No. 108-458, § 1016 Stat. at 3664-70, amended by 
Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 
Commission Act), Pub. L. No. 110-53, § 504, 121 Stat. 266, 313-17. See 
also Pub. L. No. 107-296, § 892, 116 Stat. at 2253-54 (requiring the 
establishment of procedures for the sharing of homeland security 
information, as defined by this section). 

[3] GAO, High Risk Series: An Update, GAO-05-207 (Washington, D.C.: 
January 2005). 

[4] GAO, Information Sharing: The Federal Government Needs to Establish 
Policies and Processes for Sharing Terrorism-Related and Sensitive but 
Unclassified Information, GAO-06-385 (Washington, D.C.: Mar. 17, 2006). 

[5] GAO, Suggested Areas for Oversight for the 110th Congress, GAO-07-
235R (Washington, D.C.: Nov. 17, 2006). 

[6] Pub. L. No. 103-62, 107 Stat. 285 (1993). 

[7] Office of Management and Budget, Circular A-11, Preparation, 
Submission, and Execution of the Budget (July 2007) and Circular A-130, 
Management of Federal Information Resources (Nov. 28, 2000). 

[8] See for example, GAO, Results-Oriented Government: GPRA Has 
Established a Solid Foundation for Achieving Greater Results, GAO-04-38 
(Washington, D.C.: Mar. 10, 2004); GAO, Executive Guide: Effectively 
Implementing the Government Performance and Results Act, GAO/GGD-96-118 
(Washington, D.C.: June 1996); GAO, Agency Performance Plans: Examples 
of Practices That Can Improve Usefulness to Decisionmakers, GAO/GGD/ 
AIMD-99-69 (Washington, D.C.: Feb. 26, 1999); GAO, Results-Oriented 
Government: Practices That Can Help Enhance and Sustain Collaboration 
among Federal Agencies, GAO-06-15 (Washington, D.C.: October 2005); 
GAO, Information Technology: Foundational Steps Being Taken to Make 
Needed FBI Systems Modernization Management Improvements, GAO-04-842 
(Washington, D.C. Sept. 10, 2004); GAO, Homeland Security: US-VISIT 
Program Faces Operational, Technological, and Management Challenges, 
GAO-07-632T (Washington, D.C. Mar. 20, 2007); and GAO, Information 
Technology Management: Governmentwide Strategic Planning, Performance 
Measurement, and Investment Management Can Be Further Improved, GAO-04-
49 (Washington, D.C. Jan. 12, 2004). 

[9] The Project Management Institute, The Standard for Program 
Management© (2006). 

[10] CMMI is registered with the U.S. Patent and Trademark Office by 
Carnegie Mellon University. 

[11] See Pub. L. No. 108-458, § 1016, 118 Stat. at 3664-70, amended by 
Pub. L. No. 110-53, § 504, 121 Stat. at 313-17. The term "terrorism- 
related information" encompasses the definitions of "terrorism 
information," "homeland security information," and "weapons of mass 
destruction information" in accordance with the Intelligence Reform 
Act, as amended, as well as law enforcement information relating to 
terrorism or the security of the homeland, in accordance with the ISE 
Implementation Plan. 

[12] See Pub. L. No. 108-458, § 1016(e), 118 Stat. at 3666-67. The 
Program Manager issued the ISE Implementation Plan in November 2006 
and, as such, the contents of the Plan may not fully reflect amendments 
made by the 9/11 Commission Act. For example, whereas before the 
amendments the ISE focused on the sharing of "terrorism information" as 
defined in the Act, the ISE now explicitly encompasses "homeland 
security information," as defined by the Homeland Security Act, as well 
as terrorism information, which now includes "weapons of mass 
destruction information," as defined by the 9/11 Commission Act. 

[13] See Presidential Memorandum, Memorandum from the President for the 
Heads of Executive Departments and Agencies, Subject: Guidelines and 
Requirements in Support of the Information Sharing Environment (ISE) 
(Dec. 16, 2005). 

[14] Sensitive but unclassified information encompasses a large but 
unquantifiable amount of information--for example, security plans for 
federal agency buildings--that does not meet the standards established 
by executive order for classified national security information but 
that an agency nonetheless considers sufficiently sensitive to warrant 
safeguarding and restricted dissemination. 

[15] GAO, Information Sharing: The Federal Government Needs to 
Establish Policies and Processes For Sharing Terrorism-Related and 
Sensitive but Unclassified (SBU) Information, GAO-06-385 (Washington, 
D.C.: Mar. 17, 2006). 

[16] GAO, Homeland Security: Federal Efforts Are Helping Alleviate Some 
Challenges Encountered by State and Local Fusion Centers, GAO-08-35 
(Washington, D.C.: Oct. 30, 2007). 

[17] Under the Intelligence Reform Act, the intelligence community was 
reorganized under a Director of National Intelligence who oversees the 
17 departments and agencies that make up the intelligence community. 
The intelligence community is one of the 5 communities of interest for 
the ISE and the Director of National Intelligence is a member of the 
ISC. 

[18] GAO, Information Technology: Terrorist Watch Lists Should be 
Consolidated to Promote Better Integration and Sharing. GAO-03-322 
(Washington, D.C.: Apr. 15, 2003). 

[19] GAO, Terrorist Watch List Screening: Opportunities Exist to 
Enhance Management Oversight, Reduce Vulnerabilities in Agency 
Screening Processes, and Expand Use of the List. GAO-08-110 
(Washington, DC.: Oct. 11, 2007) and U.S. Department of Justice Office 
of the Inspector General, Follow-Up Audit of the Terrorist Screening 
Center, Audit Report 07-41 (September 2007). 

[20] Program Manager, Information Sharing Environment, Information 
Sharing Environment Implementation Plan (Washington, D.C.: November 
2006). As noted earlier, the Program Manager issued the Implementation 
Plan before the 9/11 Commission Act amendments that expressly broadened 
the scope of information to be shared within the ISE. 

[21] Program Manager, Information Sharing Environment, Information 
Sharing Environment Implementation Plan. 

[22] The White House, National Strategy For Information Sharing: 
Successes and Challenges in Improving Terrorism-Related Information 
Sharing. (Washington, D.C.: Oct. 31, 2007). 

[23] In describing outcomes and output measures, OMB guidance notes the 
following: Outcomes describe the intended result of carrying out a 
program or activity. They define an event or condition that is external 
to the program or activity and that is of direct importance to the 
intended beneficiaries and/or the public. For a tornado warning system, 
an outcome measure could be the number of lives saved and property 
damage averted. In contrast, an output measure is one that describes 
the level of activity that will be provided over a period of time, 
including a description of the characteristics (e.g., timeliness) 
established as standards for the activity. Outputs refer to the 
internal activities of a program (i.e., the products and services 
delivered). For example, an output could be the percentage of warnings 
that occur more than 20 minutes before a tornado forms. While 
performance measures must distinguish between outcomes and outputs, 
there must be a reasonable connection between them, with outputs 
supporting (i.e., leading to) outcomes in a logical fashion. According 
to OMB, outcome measures are the most informative measures about 
performance because they are the ultimate results of a program that 
benefit the public. 

[24] See, for example, GAO, Results-Oriented Government: GPRA Has 
Established a Solid Foundation for Achieving Greater Results, GAO-04-38 
(Washington, D.C.: Mar. 10, 2004); GAO, Executive Guide: Effectively 
Implementing the Government Performance and Results Act, GAO/GGD-96-118 
(Washington, D.C.: June 1996); Office of Management and Budget, 
Circular A-11, Preparation, Submission, and Execution of the Budget 
(July 2007); and The Project Management Institute, The Standard for 
Program Management© (2006). 

[25] Performance goals are comprised of performance measures, with 
targets and time frames, which serve as an indicator to gauge program 
performance against the goals. 

[26] Generally speaking, an enterprise architecture is to connect an 
organization's strategic plan with program and system solution 
implementations by providing the details needed to guide investments in 
a consistent, coordinated, and integrated fashion. An enterprise 
architecture is intended to provide a clear and comprehensive picture 
of an entity, whether it is an organization (e.g., federal department) 
or a functional or mission area that cuts across more than one 
organization (e.g., homeland security). This picture is to consist of 
snapshots of both the enterprise's current or "As Is" operational and 
technological environment and its target or "To Be" environment, as 
well as a capital investment road map for transitioning from the 
current to the target environment. 

[27] Performance goals are comprised of performance measures, with 
targets and time frames, which serve as indicators to gauge program 
performance against the goals. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: